Okay, so I am trying to get authentication via Azure AD working.
Am I right in saying that AD group membership is only checked on the first login attempt for a user and never checked again? I have tested this by removing the user from the AD group, and I have even removed the group from the Pritunl settings - it still allowed the user to login.
Is it also true that AD support does not include actual Pritunl client connections? There is no way to link a group to a server and then only allow users that are members of that AD group to connect?
Organizations represent certificate authorities, changing a users organization requires issuing a new certificate and private key. This can’t be done during connection. If a user logs into the web console with single sign-on and the group has changed the user will be moved to a new organization.
If the groups mode is configured the Azure API would be used to update the users groups on connection. You also need to configure groups on the server. If a server has no groups configure the user groups will never be checked.
So essentially, SSO is only for the web interface and not for the VPN client?
The Azure API is used for every VPN connection, disabled or deleted users in Azure cannot connect. The groups mode can be used to also validate the user groups on each connection. The certificate is sufficient for authenticating the user to the VPN server. This design is required to maintain compatibility with all OpenVPN clients. There’s several multi-factor authentication options that will provide additional authentication for connections.
Oh, that’s nice information. Thanks Zach, I need to test this now