Docs on SSO/SAML using a self-hosted identity provider

Hi pritunl community and devs :slight_smile:

The Enterprise Version of pritunl lists “Single sign-on with SAML” as a feature.
However, the documentation only covers single sign-on with cloud providers (Google, OneLogin, Azure, …).
We tried to setup single sign-on over SAML with our own self-hosted identity provider (keycloak) and couldn’t get it to work.
The logs weren’t helpful either.
We briefly skimmed through the code and didn’t know how the api endpoint https://auth.pritunl.com played into this setup?

Are there any guides/docs we are missing?

Thanks :slight_smile:
sbock

Currently only Okta, OneLogin and JumpCloud are supported as SAML providers.

That is unfortunate.
Thanks for the quick response!

Will Google become a SAML provider? The news from Google that password vaulted apps total shut down.

We use pritunl Zero and noticed that Pritunl is part of the 200 Google deemed “pre-integrated”. Do those instructions still apply to Pritunl Zero? Seems I’m stuck on step two,

Google has put up instructions for configuring Pritunl with SAML. The documentation was not provided by Pritunl and isn’t accurate. The OAuth Google single sign-on used in Pritunl is not a password vaulted app and it isn’t getting shut down.

OAuth is preferred over SAML and there is no plans to support SAML for providers that have OAuth available. OAuth supports the ability to refresh tokens and verify user status unattended. After the user authenticates with the Pritunl web console using single sign-on the profile is imported into the client with a private key. That private key is then used to authenticate the user connection. To maintain support with all OpenVPN clients additional single sign-on authentication that would require a web browser is not done when connecting to the VPN. Instead OAuth and provider APIs are used by the Pritunl server to verify that the user account exists and is active and not disabled. For Google both an OAuth refresh and update with the Google Workspace API is done to verify the status of the user.

Attempting to configure SAML alone will not provide any connection checks on the status of the user. This mode will need to either be paired with Duo or the users will need to be manually deleted from the Pritunl web console.

None of this applies to Pritunl Zero or Pritunl Cloud which always has a web browser available and will send the user to the single sign-on provider for authentication updates.

Thank you zach.