Keycloak and AWS Client VPN with SAML

I spent a lot of time in the past two weeks figuring out how to use AWS Client VPN with federation (SAML) with Keycloak. For some reason the SAML XML-file that I downloaded from a new realm in Keycloak, and that I had implemented into AWS IAM Identity Provider, went to the Master realm and not the new realm. The logs did not show any kind of reference to the new realm but only showed that the client could not be found in Master realm. Of course, the client did not exist in the Master realm because I had created the client in the new realm only. I have since figured out why and you can read more about the solution below.

I assume that you have already created an instance running Keycloak (18.0.0) with a certificate in front - either using AWS Application Load Balancer (ALB), Nginx or Apache. Also make sure that you create a new realm and a new client. The name of the client that you have to use with AWS Client VPN must be ‘urn:amazon:webservices:clientvpn’. Inside the new client you need to set the following options to ‘Off’:

  • Optimize REDIRECT signing key lookup
  • Client Signature Required

Under ‘Valid Redirect URIs’ you insert the AWS Client VPN redirect URL: http://127.0.0.1:35001. When you have done these things you go to the bottom of the page and then click on ‘Save’. You then go into the tab ‘Mappers’. You need to create mappers ‘User Property’: FirstName and LastName. I will only show an example with FirstName - just repeat the process with LastName.

  • Name: FirstName
  • Mapper Type: User Property
  • Property: FirstName
  • Friendly Name: FirstName
  • SAML Attribute Name: FirstName
  • SAML Attribute NameFormate: Unspecified

Save and then repeat.

Now go into the Realm Settings in your new realm and download the ‘SAML 2.0 Identity Provider Metadata’ file. This is the file that you need to insert into AWS IAM Identity Provider. But before you do that you need to modify one boolean value in the file:

  • WantAuthnRequestsSigned=“true” must be changed to “false”

Now you can insert the SAML-file into AWS IAM Identity Provider. After you have done this, you need to create a user with all the bells and whistles that you want such as OTP (One-Time Password), password policies etc. These stuff are up to you. When you have created the AWS Client VPN endpoint, you download the configuration for the client and use it in the AWS Client VPN software.