Currently only the Pritunl Electron client will function with SSO connection authentication. The connection authentication documentation has more information. This is an additional layer of authentication, single sign-on can be used without the additional connection authentication.
Is using the extra layer of authentication a server or client config?
I mean if a server already uses the extra layer, can a client opt to not use it and simply use the default mode? Basically this way another client app can be used.
The details of single sign-on connection authentication is documented in the dynamic firewall documentation. A similar design is used for the single sign-on method except it does not obtain and exchange the public address of the client. It’s a web request sent to the Pritunl server before initiating the OpenVPN connection.