We used Pritunl with OpenVPN and Pritunl Clients before so we only needed to authenticate against azure to get our profiles. That worked pretty well. Now we configured Condtional Access Compliance Policies on Azure Site which required to disabled the OpenVPN Usage for Pritunl. We figured that we need to enable the Single Sign on Authentication on the Pritunl Server configuration to force the compliance policy to always get checked before vpn is enabled. After i configured the Single Sign on Authentication URL on the default settings i thought the client would start to open a browser session to authenticate against azure. That doesnt work. Is there something else we need to disable or something that this will work?
Thank you.
I have looked into the Azure conditional access policies in Entra and have been unable to get it working. The system seems to be mostly focused on controlling access to the Microsoft 365 applications instead of all sign-on requests going through Entra. Using connection authentication with authentication cached disabled in the top right settings will trigger a full sign-in through Entra for every VPN connection. This should allow the conditional access policies to work.
It’s possible there is some configuration in Azure that will allow it to work. Microsoft single sign-on has always had a lot of problems and it seems to be an ongoing issue with Entra.
Hi and thanks for the reply. The problem with conditional access is that it doesnt go for apps even if it says so. It is ressource focused and Pritunl like other apps are using the Microsoft Graph Api as ressource. My problem is that the client doesnt even show the SSO prompt when we hit connect to start the browser. Disabling the auth cache doesnt change anything. The server url of my pritunl server is server1.vpn.example.com and my url for the pritunl webpage (haproxy) is vpn.example.com. I also configured vpn.example.com as Single Sign On Domain and Sync Uri right?
Fixed it. On the top right corner in the general settings i switched the azure SSO method to saml (just an example) and tried the client sso again. That worked like a charm. So i think like you mentioned zach the authentication cache was the problem. However deactivating the authentication cache didnt delete him correctly i think. It was deleted after the sso authentication switch it seemed. After switching back to azure and filling my Tenant App and Sec IDs everything worked.
Thank you
Okay now it stopped working again. I dont think that this relays on idp site because i cannot switch the sso mechanism now and forcing the client to open a browser tab to reauthenticate. It just doesnt do anything on connect.
