The "auth-federate" command is not a standard OpenVPN command. Instead, it is a custom command designed for Amazon’s AWS Client VPN service and its SAML implementation.

Viscosity versions 1.12 and later support importing VPN connections that contain the auth-federate command, and Viscosity can use Amazon’s custom SAML implementation when authenticating.

If you receive the error message "Options error: The command “auth-federate” or one of its parameters is invalid" please update to Viscosity version 1.12 or later and import your AWS Client VPN connection again. You should then be able to connect to the VPN and authenticate using web-based authentication (SAML).

OpenVPN officially supports SSO and SAML as part of the OpenVPN protocol. However, Amazon has instead made its own custom changes to the OpenVPN protocol to support its SAML implementation. Because of this, if SAML authentication is enabled on the Amazon AWS Client VPN server, older versions of Viscosity (prior to version 1.12) and other OpenVPN clients will not be able to connect.

Amazon's implementation may also hang and time out on networks with broken PMTUD (roughly 10% of internet connections). This is not a bug in Viscosity’s implementation, but rather a potential flaw related to the changes Amazon has made to OpenVPN’s control channel message size. If you experience this behaviour, try manually lowering your computer’s MTU value or contact your VPN provider for support.