Abstract: A service or load balancer may use the techniques herein to perform client authentication using a certificate-based identity provider. A client may send a request for access to a service of the provider network. In response, the service or a load balancer may redirect the request to a certificate-based identity provider in accordance with a standard identity protocol (e.g., a federated identity protocol such as the protocol for OpenID Connect (OIDC)). The certificate-based identity provider may obtain a client certificate and validate the client certificate. The identity provider may also obtain and verify other credentials. In response to validating the client certificate (and in some cases authenticating the credentials), the certificate-based identity provider may generate and sign an identity token and redirect the client back to the service in accordance with the identity protocol.

Abstract: This disclosure describes techniques for utilizing strong authentication of device identities and/or user identities to establish secure network tunnels between client devices and a virtual private network (VPN) server of a service provider network. The service provider network may generate routes from the VPN server to services to establish a connection for the client device to access the services. The service provider network may receive posture data from the client device that indicates a state of the client device, and determine, using a security policy, with which services the client device is permitted to interact or utilize. Further, the techniques described herein include receiving requests from the services to provide cryptographic assertion(s) that were used by the VPN server to authenticate the device identities and/or user identities. In this way, the services may be able to perform strong authentication of the client devices that are attempting to utilize the services.