We are trying to implement SSO auth for VPN to reduce the number of MFA tokens a user needs to have. However when turning on SSO for auth in our test server the conditional access policy that says to force an MFA auth each time seems to be bypassed. Looking at Microsofts documentation they seem to limit this to Oauth2 or OIDC methods.
Has anyone implemented this using Pritunl?
The option for this is referred to as connection single sign-on. There is still a verification when connecting without it but it will only verify the users status to block deleted or disabled users. Connection single sign-on opens the web browser on connection and completes the full Oauth authentication.
It would be far more secure and easier for the users to use device authentication instead or along with single sign-on connection authentication. This doesn’t require the user to take any additional steps when connecting and is significantly more effective at preventing phishing attacks or even a fully compromised single sign-on account.
More security information is available in the high security environment documentation.