Android/iOS AWS Client VPN user authentication with AzureAD SAML

I have setup the AWS VPN and connected to AzureAD and everything works great when using the AWS Client VPN application on desktop computers including remote computers not on our office network nor with any special whitelisting/setup on the computer.

Following the instructions on https://docs.aws.amazon.com/vpn/latest/clientvpn-user/android.html it should just work on android devices using the OpenVPN app, however it asks for username and password, then stalls “Looking up DSN name”

Open VPN connecting to another unrelated vpn not using aws/saml does work correctly.

Any guidance would be much appreciated.

I also asked on OpenVPN https://www.reddit.com/r/OpenVPN/comments/t5rfid/androidios_aws_client_vpn_user_authentication/

The SAML implementation is something that only works on Mac/Windows/Linux when using the AWS VPN Client, so I’m guessing openvpn doesn’t support it.

That is what I was afraid of, just couldn’t find documentation. Thanks

Yeah, it’s not super obvious from the user facing documentation, the administrator docs however briefly mention the fact that you’d need to use an AWS supplied client.

Yeah, I am using SAML as well it is much better but is limited to AWS since they use a custom flag called auth-federate which is not supported by other vpn clients. The client itself is exactly the same, since it is using OpenVPN but AWS adds an additional layer that authenticates to the browser and it then sends the normal username and password you would set automatically but instead of your credentials it sends some keys it recieved from the web browser. I’ve seen some custom made implementations and it is not very complicated. Though it is supported in Linux Mac and Windows so there shouldnt be any issues. The only problem I have is that there is no android support and there is no Backup plan in case AWS client fails, but that shouldn’t happen, its not a very complex app