Is there documentation about all of the communication and data with Pritunl?
All of the SSO methods have a callback to auth.pritunl.com, and I believe that the VPN server itself also communicates back with Pritunl.
Some sort of a license check makes sense, but for security purposes I’m being asked what all data is ever sent to Pritunl, how Pritunl handles it, and any certifications Pritunl may have (i.e. SOC2, etc…).
Specifically around what data is sent and how Pritunl handles it. Additionally, are there any options that restrict communication with Pritunl to a license check?
The single sign-on is done with auth.pritunl.com to protect the licensed features. All of the secondary authentication methods including Okta Verify, OneLogin Protect, Duo, Yubikey and device authentication are done without involvement of the Pritunl auth servers. The user Oauth tokens are stored with the user email on the auth.pritunl.com servers. For SAML authentication nothing is stored.
Using both a primary and secondary authentication method will ensure the system will remain secure if one is breached. Device Authentication will provide the highest level of security and it is not dependent on any third party services. This will also provide the best protection from phishing attacks. The High Security documentation provides information on configuring the server for high security environments.
The license check sends the license key and the license server stores the IP address of the server that sent the license check. There are no third party certifications of Pritunl.
There is an option to configure a dedicated license and authentication server. This was added for customers that require a fully isolated system to be hosted on their infrastructure. You can contact support if this is required but it is significantly more expensive than the standard enterprise subscriptions.
Thanks for the response! Just to clarify, without a secondary authentication method, Pritunl keeps enough information to log into both the web server and the vpn as any user who has connected? Or am I connecting the dots incorrectly?
With Google single sign-on the Pritunl registered application is used and the database has enough information to authenticate with those Google accounts. With the other Oauth providers the keys are not stored and there isn’t enough information stored to authenticate those accounts with the stored data alone. With SAML none of the data is stored. All of the Oauth usage is scoped to very limited profile information. There are API keys configured with many of the providers, these are used only locally to query the provider to check if the account is active. This is done on each VPN connection and every 30 minutes while a user is connected to prevent a deleted or disabled single sign-on account from connecting.
Without a secondary method the Pritunl auth servers could be exploited to connect to a VPN server as a single sign-on user. This is true of the single sign-on providers also. The administrator web console does not use single sign-on.