OpenVPN will display the error message "Options error: The command "auth-federate" or one of its parameters is invalid" in the connection log if the command "auth-federate" is present as an advanced command in the VPN connection's configuration.

The "auth-federate" command is not a valid OpenVPN command, which is why OpenVPN is raising an error when it is present in a connection's configuration. Rather, it is a custom command that only Amazon's VPN client uses as part of its custom SAML implementation. It’s not part of the OpenVPN 2.4 or 2.5 protocol or implementation, nor is it part of the upcoming OpenVPN 2.6 protocol or implementation.

OpenVPN officially supports SSO and SAML as part of the OpenVPN 2.5 protocol (which Viscosity fully supports). However Amazon have instead made their own custom changes to the OpenVPN protocol to support their custom SAML implementation. Because of this, if SAML authentication is enabled on the Amazon VPN server, Viscosity and other OpenVPN clients will not be able to connect.

Normally we wouldn’t be opposed to adding support for a custom authentication protocol to Viscosity if there is demand, however in this case (based on public information) Amazon have patched OpenVPN in a fashion that may cause reliability issues.

To support the larger SAML authentication messages Amazon appear to have patched OpenVPN to significantly expand OpenVPN’s control channel message size. However one of the reasons why OpenVPN uses a small size limit is to avoid potential MTU issues. By increasing the size like Amazon have (again, assuming the public information is accurate), they’re relying on the packets to be correctly fragmented. However, on setups with broken PMTUD (roughly 10% of internet connections) this approach will likely result in a hung connection attempt that eventually times out.

We haven’t completely ruled out supporting Amazon’s version in the future, however due to the potential flaws outlined above we instead encourage the official OpenVPN SAML support be adopted (which does not have such issues). We encourage users to reach out to Amazon and ask them to adopt OpenVPN’s official support for SSO/SAML so Viscosity (and other OpenVPN clients) will be able to work with their service.