Pritunl Zero supports single sign-on with Okta and secondary authentication with Okta Verify. SAML attributes will be used to assign roles to the user.
In the Applications section of the admin interface click Add Application. Then click Create New App and select SAML 2.0
Next name the app
Pritunl and download the Okta Pritunl logo pritunl.com/img/pritunl_okta.png and click Upload Logo then click Next.
On the next page enter
https://auth.pritunl.com/v1/callback/saml as the Single sign on URL and
pritunl as the Audience URI. Set the Default RelayState to the address your users would use to access the Pritunl server such as
https://vpn.example.com. Then add the two attributes
username with a value of
user.email. Once done click Next then Finish.
User roles can be set using the
roles attribute. This attribute can be mapped to a value such as
user.department. Okta provides several mapped values for attributes. Refer to the Okta documentation for setting the value of the
roles attribute using mapped variables.
An API token can be used for secondary authentication using Okta Verify. This is not required if Okta Verify secondary authentication will not be used. To create a token click Security then API and Create Token. Name the token
Pritunl and save the token for later.
After the Okta app has been created you will need to add users to the Pritunl app before they are able to use it. This can be done in the People tab on the Pritunl app settings on Okta.
Next get the Okta app ID from the url in the Okta application settings. The ID is the last component of the URL. For example the ID for this url
0oarolrfv30ouSTcm2p6. This ID will be needed in the next step.
Once the Okta app has been configured click on the app then click Sign On and View SAML setup instructions on the right side. In the Pritunl Zero settings tab select Okta and click Add Provider. Add any default roles that will apply to all users who authenticate with Okta. Copy the Identity Provider Single Sign-On URL, Identity Provider Issuer URL and X.509 Certificate from the Okta web console.
For Okta Push authentication add the Okta secondary provider on the right side. Set the Okta domain to the company Okta login domain. Then set the Okta API token. Write access on the token is required for push authentication. A policy will need to be created to apply the secondary authentication requirement to users.
Updated 2 months ago