Pritunl

Pritunl Documentation

Welcome to the Pritunl developer hub. You'll find comprehensive guides and documentation to help you start working with Pritunl as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started    

OneLogin

Single sign-on with OneLogin

This tutorial will explain configuring OneLogin for single sign-on to Pritunl. Users will authenticate through OneLogin when downloading VPN profiles. After a user has downloaded a VPN profile the Pritunl server will use the OneLogin API to verify that the user still exists and is enabled before each VPN connection.

Create Pritunl App on OneLogin

In the OneLogin admin interface select New App and search for SAML Test Connector (IdP w/ attr w/ sign response). Then change the name to Pritunl and download the OneLogin Pritunl logos pritunl.com/img/pritunl_onelogin.png and pritunl.com/img/pritunl_onelogin_square.png. Then upload both logos and click Save.

On the next page set the RelayState to the address your users would use to access the Pritunl server such as https://vpn.example.com. Then enter https://auth.pritunl.com/v1/callback/saml as the Recipient, ACS (Consumer) URL Validator and ACS (Consumer) URL. Once done click Save and click the Parameters tab.

On the parameters tab click Add parameter and set the Field name to username and select Include in SAML assertion then click Save. Then click on the parameter and set the Value to Username. Do this again using email as the name and Email as the value.

Setting User Organization

By default all OneLogin users will be added to the organization set in the Pritunl settings. Users can be added to a specific organization using the org attribute. This attribute can be mapped to a value such as Department. The value of the attribute must exactly match the name of an existing organization on the Pritunl server. If a value is given for an organization that does not exist the user will be added to the default organization.

Create API Token

Pritunl will require an API token to validate if a user exists and is enabled before allowing a VPN connection. To create a token click Settings then API and New Credential. Name the token Pritunl then select Read Users and save the token for later.

Add Users to Pritunl App

After the OneLogin app has been created you will need to add users to the Pritunl app before they are able to use it. This can be done in the Users tab on the Pritunl app settings on OneLogin.

Configure Pritunl

Once the Okta app has been configured click on the app then click Sign On and View Setup Instructions. Then open the Pritunl settings and set Single Sign-On to Okta and set the Single Sign-On Organization. This organization will be the default organization Okta users are added to. Then copy the SAML 2.0 Endpoint (HTTP) to SAML Sign-On URL. Then Issuer URL to SAML Issuer URL. Then X.509 Certificate to SAML Certificate. Use the API token from earlier to fill in OneLogin API Client ID and OneLogin API Client Secret.

OneLogin

Single sign-on with OneLogin