I’m setting up a new Prítunl installation for a client were Azure SSO is required for connecting the VPN.
I’ve setup a server with SSO requirement enabled.
When I connect it redirects me to a website and if I’m logged in with the correct account everything works and VPN is connected.
But when it redirects me to a browser were I’m logged in with another Azure SSO account I get an expected error that the user is not found.
In the pritunl client I get a blue message allowing me to copy the SSO link myself.
If I copy that and paste in another browser I get error 404: Not Found.
This will become an issue since the customer have other 3rd party users that will connect with Pritunl and they will most likley be connected to another organization in their browser.
I’m not sure on how to troubleshoot this or provide logs for further troubleshooting.
There may be some settings in Azure to prevent the authentication from getting cached and displaying the login prompt every time which would allow the user to select a different account. I’m not sure where the option is. The user should be signed into the Azure account that is associated with the Pritunl profile in use.
I’m not sure how an Azure cache would solve the 404 error?
I get that error from the Pritunl server.
I’m sure you understand there’s situations were the user is not signed in with the same Azure account on the browser. As in this example where 3rd party consultants wants to connect to a customers Pritunl VPN. Or an employee working for multiple companies and having that perticular browser logged in to another company Azure.
And there is a “Copy SSO Link” message in the client allowing you to paste it into a different browser or and InPrivate session, the link just isn’t working.
The link is only valid once, if you are opening it multiple times it will return 404.
If the browser has the wrong Azure account it will return an error. Azure automatically completes the sign-in without prompts so you would need to sign out of the wrong account before attempting the connection.
It would be great to have an option not to auto open the primary browser when connecting, to allow you to copy the link into another browser with your correct account.
It will only use the default browser. I will add an option in the next release to the advanced settings to prevent the browser from opening automatically.