Okta

Pritunl Zero supports single sign-on with Okta and secondary authentication with Okta Verify. SAML attributes will be used to assign roles to the user.

Okta Push

Okta Push can be enabled for each VPN connection if it is available. If you are using Okta Push but do not want it used for VPN connections uncheck Enable Okta Push in the settings. This configuration option is stored in the database and will only need to be run on one host. The change will be immediately applied to all hosts and will not require restarting any hosts.

Create Pritunl App on Okta

In the Applications section of the admin interface click Add Application. Then click Create New App and select SAML 2.0

Next name the app Pritunl and download the Okta Pritunl logo pritunl.com/img/pritunl_okta.png and click Upload Logo then click Next.

On the next page enter https://auth.pritunl.com/v1/callback/saml as the Single sign on URL and pritunl as the Audience URI. Set the Default RelayState to the address your users would use to access the Pritunl server such as https://vpn.example.com. Then add the two attributes username with a value of user.login and email with a value of user.email. Once done click Next then Finish.

Setting User Roles

User roles can be set using the roles attribute. This attribute can be mapped to a value such as Department. Refer to the OneLogin documentation for setting the value of the roles attribute.

More information on these values is available in the Okta Expression Language documentation.

Create API Token

Pritunl will require an API token to validate if a user exists and is enabled before allowing a VPN connection. To create a token click Security then API and Create Token. Name the token Pritunl and save the token for later.

Add Users to Pritunl App

After the Okta app has been created you will need to add users to the Pritunl app before they are able to use it. This can be done in the People tab on the Pritunl app settings on Okta.

Okta App ID

Next get the Okta app ID from the url in the Okta application settings. The ID is the last component of the URL. For example the ID for this url https://pritunl-dev-admin.okta.com/admin/app/pritunlorg473326_pritunl_1/instance/0oarolrfv30ouSTcm2p6/#tab-signon is 0oarolrfv30ouSTcm2p6. This ID will be needed in the next step.

Configure Pritunl Zero

Once the Okta app has been configured click on the app then click Sign On and View Setup Instructions. In the Pritunl Zero settings tab select Okta and click Add Provider. Add any default roles that will apply to all users who authenticate with Okta. Copy the Issuer URL, SAML 2.0 Endpoint (HTTP) and X.509 Certificate from the Okta web console.

For Okta Push authentication add the Okta secondary provider on the right side. Set the Okta domain to the company Okta login domain. Then set the Okta API token. Write access on the token is required for push authentication. A policy will need to be created to apply the secondary authentication requirement to users.

Use the API token from earlier to fill in OneLogin API Client ID and OneLogin API Client Secret.