Default authentication provider


we use Pritunl Zero Enterprise and have set up Azure AD as authentication provider. All users in the organization use this.

On the login page, however, the local login is always requested and the user have to select the authentication provider first. How can this be changed to use SSO by default without having to make a selection first?

Thank you for the feedback.

If all non-single sign-on users are removed the local option will no longer be shown.

1 Like

Hello zach,

Thanks very much. However, the selection page is still displayed then, which makes no sense with only one authentication provider.

It would be much better in terms of usability and user administration if the authentication providers can selected per site. If there is only one, it should be used automatically.

Directly redirecting to a single sign-on authentication prompt may confuse some users. The login page will also be improved with the next release to include a logo instead just showing the buttons with a plain box.

The use case is actually standard and sense of SSO (direct redirect). For example, if you open Google Services and are previously logged in, no login button is shown first and you are directly redirected to the application. The same applies to Microsoft Services or other.

It is cumbersome for the user if he has x applications that are all integrated in SSO and then always comes to a login page where he has to confirm the login, even if he is already logged in Azure AD through SSO, for example.

A login page that can be designed in more ways makes sense, but for the use case that no login has yet taken place via an authentication provider. These are two different subjects.

Is it likely that you offer that as an option? I can’t make the current implementation available to our users as we would get a lot of criticism.

I may add an option for it in the future. You can edit the login.html file and search for bindState(); then place onAuthProvider(; on the next line. The static files are cached on startup so this will require restarting the service.

sudo nano /usr/share/pritunl-zero/www/login.html
# ctrl+w bindState();
sudo systemctl restart pritunl-zero

This has been added to the codebase for the next release. It is currently a hidden option but may be added to the web console in the future. If Go is installed it can be built from the repository. The fast_login option uses the fast redirect if no local users are in the database. The force_fast_user_login and force_fast_service_login options will force a redirect on user and service logins to the sso even if local users exists in the database. All options require that only 1 sso provider is configured.

GOPROXY=direct go install
sudo cp ~/go/bin/pritunl-zero /usr/bin/pritunl-zero

sudo pritunl-zero set app fast_login true
sudo pritunl-zero set app force_fast_user_login true
sudo pritunl-zero set app force_fast_service_login true