Single Sign-On Outage Fix

Once a Pritunl user has authenticated with single sign-on from the Pritunl web console a VPN profile is created. This profile contains a private key and certificate used to authenticate with the Pritunl server. The Pritunl server will also use additional single sign-on APIs to verify the status of users on each VPN connection. This prevents users that are deleted or disabled on the single sign-on provider from connecting to the VPN.

If a single sign-on service becomes unavailable it is possible to skip the connection check and allow existing Pritunl users to connect. Doing this will temporarily disable the VPN connection check that checks the status of the Pritunl user with the single sign-on provider. If the single sign-on provider is also used for secondary authentication this will also be disabled. The users will authenticate using only the private key and certificate in their VPN profile.

The first option is to disable external single sign-on verification using the command sudo pritunl set user.skip_remote_sso_check true. Depending on what single sign-on services are offline this may allow connections. This option will not skip all single sign-on verification and secondary authentication that is dependent on external providers such as Duo will still be required. After the outage the command sudo pritunl set user.skip_remote_sso_check false must be run.

For further outages single sign-on can be completely disabled temporarily. To disable single sign-on connection verification open the settings from the Pritunl web console and first copy the existing single sign-on settings. These values should be saved to later restore the settings. Then set the single sign-on mode to disabled. The existing users will maintain the single sign-on association even with single sign-on temporarily disabled. Existing users will then be able to connect without single sign-on verification. New single sign-on users will not be able to authenticate from the web console until the settings are restored.