WSO2 Identity Server 7 minutes

AWS Client VPN using WSO2 Identity Server as federated IDP

Simon Sabelis
Simon Sabelis
Integration Consultant
Blog AWS Client VPN using WSO2 IS as federated IDP
Scroll

Blog-AWS-Client-VPN-using-WSO2-IS-as-federated-IDPThe Connext Managed Integration Platform delivers a managed WSO2 platform to our customers. The platform runs on AWS technology and comes with a private network unreachable from the public internet for access to the management interfaces of the WSO2 products.  As a standard procedure we setup a Site to Site IPSec VPN connection from the customer office or datacenter network to the private Connext network. This ensures a secure channel between the network of the customer and the Connext platform, allowing the customer to securely communicate with the WSO2 products.

The downside of this approach is that knowledge and hardware is needed to setup this connection. What if there are resource constraints (be it knowledge or financial) that do not allow to maintain such a connection? Then AWS Client VPN comes into play. In this blog, I will show you how to set up the WSO2 Identity Server as an Identity Provider to use for authentication with AWS Client VPN

AWS Client VPN

AWS also offers a Client VPN Endpoint that can be setup within an AWS Account. This allows end users to download a VPN Client and create an on-demand connection to AWS. Until recently, the authorization methods were limited to either using a shared certificate or Active Directory. However, now AWS has added the feature to use a federated SAML2 Identity Provider for authentication, it became attractive to start using it.

By default, WSO2 Identity Server (KM) is deployed for API and full Connext stacks. The product allows to configure a SAML2 Service Provider in an easy way, thus enabling the use of a connected userstore for AWS Client VPN. Although AWS doesn’t support WSO2 Identity Server (IS) out of the box, I have succeeded in setting up the integration and will show you how to set this up yourself in this blog. I will first dive into setting up the federated IDP, then the Client VPN. Finally, I will show you how to connect to the VPN Endpoint and(, as a next step,) how to authorize based on user role.

Setting up

Create a Service Provider in WSO2 IS (KM)

In the carbon console of your WSO2 IS (KM) go to “Service providers” and add a new one. Give it a name (e.g. aws-clientvpn) and click register.

Configure SAML2 SSO for Inbound Authentication and configure as shown in figure 1.

Issuer urn:amazon:webservices:clientvpn
ACS For client VPN add: http://127.0.0.1:35001
For self-service portal add:
https://self-service.clientvpn.amazonaws.com/api/auth/sso/saml
Enable Attribute profile + include attributes in response always
Disable Signature Validation in Authentication Requests and Logout Requests

Figure 1- Configuration SAML Service provider

Figure 1: Configuration SAML Service provider

When the SAML configuration is set, also make sure the right claims are being sent along with the SAML response, by setting the claim configuration.

Figure 2- Configure claim configuration

Figure 2: Configure claim configuration

Persist all the changes in the console first and then go back to the SAML settings and click on the “Download IDP Metadata” button. Remember the location of the downloaded file.

Create Identity Provider in AWS

Go to the IAM console inside AWS, select “Identity Providers”. Select SAML, name the IDP and select the metadata file that was downloaded in the previous step.

Figure 3- Configure IDP in AWS

Figure 3: Configure IDP in AWS

This will result in the IDP being setup for AWS. If you go to the created IDP, you’ll see a screen similar to the one below.

Figure 4- IDP available in AWS

Figure 4: IDP available in AWS

VPN Endpoint Prerequisites

ACM Certificate 

Go to the ACM console in AWS, request a certificate and use the verification steps (either DNS or email) to get AWS to issue the certificate. An issued certificate is required to setup the Client VPN Endpoint.

Security Group

Users connecting to the Client VPN Endpoint will have a security group applied to the incoming connection. Using the security group, you can setup inbound/outbound rules to determine the access for the incoming VPN connections. The security group will be referenced during the setup of the Client VPN Endpoint.

(Optional) Cloudwatch log group / stream

Optionally the Client VPN endpoint allows setting up logging to Cloudwatch. This will send connection-related logging, displaying login attempts with metadata. See the example log excerpt to get an idea of what is logged.

{
"connection-log-type": "connection-attempt",
"connection-attempt-status": "successful",
"connection-attempt-failure-reason": "NA",
"connection-id": "cvpn-connection-0d00000000000000",
"client-vpn-endpoint-id": "cvpn-endpoint-0d00000000000000",
"transport-protocol": "udp",
"connection-start-time": "2020-12-01 07:49:31",
"connection-last-update-time": "2020-12-01 07:49:31",
"client-ip": "10.254.240.2",
"username": "user@email.com",
"device-ip": "1.1.1.1",
"port": "54205",
"ingress-bytes": "0",
"egress-bytes": "0",
"ingress-packets": "0",
"egress-packets": "0",
"connection-end-time": "NA",
"connection-duration-seconds": "0"
}

Client VPN endpoint

In the VPC Console of AWS, go to Client VPN Endpoints and create a new Client VPN Endpoint.

Client IPv4 CIDR Supply a CIDR that will be used to assign IPs to connecting clients. Please make sure it does not overlap with your VPC or local networks.

For now, we use 10.254.240.0/22

Server certificate ARN Select the ARN of the certificate you have created in the ACM console
Authentication Options Select “Use user-based authentication”
Select “Federated authentication”
SAML provider ARN Select the IDP you have created in the IAM console
Self-service SAML provider ARN Select the IDP you have created in the IAM console
Connection Logging If you have created the CloudWatch log group/stream in the previous steps select “Yes” and then supply them as options, otherwise select “No”
Client Connect Handler For now, select “No”
Optional parameters Enable Split tunnel to not send all client traffic over the tunnel (This pushes the required routes to the client routing table)

Select your VPC for VPC ID
Enable self-service portal

Create the endpoint using the table above for the required configuration. Upon creation the VPN endpoint has to be provisioned which takes some time, when ready it will mention that it is waiting on association the endpoint.

Create associations for all the subnets that should be reachable by VPN users in the “Associations” tab.
Also make sure to create an Authorization for the CIDRs that should be reachable by the VPN users. While authorizing, you get the option to allow access to a certain group only, for now select “all users”.

Setting up the Client

In the summary tab the URL for the self-service portal will be displayed when the VPN Endpoint is fully provisioned. This URL can be used to hand over to the envisioned client VPN users. Browsing to the URL will trigger a SAML authentication request and requires the user to login to the federated IDP. Upon return the user is logged in to the self-service portal and from there download the AWS Client VPN software and the configuration file (VPN profile) for setting up the connection. Download and install the client first and then go back to the self-service portal to download the VPN configuration file.

Due to a bug in the VPN configuration file that is being generated, it must be modified before use. If you forget to do that, a SSL handshake error will be displayed. The fix is simple: remove the 3rd certificate in the CA chain and save the file. Startup the client, use the menu bar for “Manage Profiles” and add the VPN profile. Click “Connect” and it will open your default browser and browses to the login page of the federated IDP.

Upon successful authentication the VPN will setup the connection and add required routing configuration to your local machine.

Figure 5- AWS VPN Client Connected


Figure 5: AWS VPN Client Connected

Figure 6- VPN Connection active

Figure 6: VPN Connection active

Authorization

Remember the authorization configuration we made earlier in the VPN Endpoint configuration? Now it’s time to alter that a bit to ensure we only allow users that have the right role to be able to connect to specific parts of the network.

As an example, we remove the authorization for all users and only allow a specific role access to the private network. You will have to have the role to access the IPs in the destination CIDR.

Figure 7- Authorization of Network access by User Role-1

Figure 7: Authorization of Network access by User Role

Conclusion

Setting up AWS Client VPN endpoint, instead of the traditional Site to Site IPSec VPN, is a good alternative for users to setup a VPN connection to their Connext Platform.

The solution allows the users to connect to the internal network and therefore use the WSO2 management consoles. It however does not allow for secure connectivity between the WSO2 products and the customer’s on-premise network. The solution also allows setting up authorization for specific user roles to specific parts of the AWS network.

Do you want to learn more about the Connext Platform? Read one of our Connext case studies!