Okta Single Sign-On

Configure Pritunl Zero single sign-on with Okta

Pritunl Zero supports single sign-on with Okta and secondary authentication with Okta Verify. SAML attributes will be used to assign roles to the user.

Create Pritunl App on Okta

In the Applications section of the admin interface click Add Application. Then click Create New App and select SAML 2.0


Next name the app Pritunl and download the Okta Pritunl logo pritunl.com/img/pritunl_okta.png and click Upload Logo then click Next.

On the next page enter https://auth.pritunl.com/v1/callback/saml as the Single sign on URL and pritunl as the Audience URI. Set the Default RelayState to the address your users would use to access the Pritunl server such as https://vpn.example.com. Then add the two attributes username with a value of user.login and email with a value of user.email. Once done click Next then Finish.

Setting User Roles

User roles can be set using the roles attribute. This attribute can be mapped to a value such as user.department. Okta provides several mapped values for attributes. Refer to the Okta documentation for setting the value of the roles attribute using mapped variables.

Create API Token

An API token can be used for secondary authentication using Okta Verify. This is not required if Okta Verify secondary authentication will not be used. To create a token click Security then API and Create Token. Name the token Pritunl and save the token for later.

Add Users to Pritunl App

After the Okta app has been created you will need to add users to the Pritunl app before they are able to use it. This can be done in the People tab on the Pritunl app settings on Okta.

Okta App ID

Next get the Okta app ID from the url in the Okta application settings. The ID is the last component of the URL. For example the ID for this url https://pritunl-dev-admin.okta.com/admin/app/pritunlorg473326_pritunl_1/instance/0oarolrfv30ouSTcm2p6/#tab-signon is 0oarolrfv30ouSTcm2p6. This ID will be needed in the next step.

Configure Pritunl Zero

Once the Okta app has been configured click on the app then click Sign On and View SAML setup instructions on the right side. In the Pritunl Zero settings tab select Okta and click Add Provider. Add any default roles that will apply to all users who authenticate with Okta. Copy the Identity Provider Single Sign-On URL, Identity Provider Issuer URL and X.509 Certificate from the Okta web console.

For Okta Push authentication add the Okta secondary provider on the right side. Set the Okta domain to the company Okta login domain. Then set the Okta API token. Write access on the token is required for push authentication. A policy will need to be created to apply the secondary authentication requirement to users.