Issues on Single Sign-On feature


We are trying to implement SSO feature recently released to authenticate all VPN connection but we are facing to some issue:

  • The link to perform authentication is built based on the “public addres” field defined on the server and not the “sync address” which from my point of view should more correspond to the public facing address for API ?
  • Also, when using a custom port for API (not 443), the port is not included in the URL

Moreover, the browser does not always open for authentication, which could be a real issue to globally deploy the feature. Could you share with us how to debug this issue ? We have just tested on 2 clients, both have default browser defined on Windows, one is properly opening the browser, and not the second…

Thanks for you help!

The sync addresses and remotes are added to a list and tried in a random order. The newer clients that are still in testing in the GitHub releases will prioritize the sync address for WireGuard connections. I have updated the code on the repository to also do this for OpenVPN connections using single sign-on authentication. This will get included in the next release.

The function is used to open links on Windows and macOS. On Linux xdg-open is attempted if an error occurs is tried. If these aren’t working a dialog is shown on the client that the user can click to copy the link. It may be an issue with the operating system default browser or application defaults preventing the browser from opening.

There isn’t any way of debugging it because only the elevated background service can initiate the URL open event which is then processed by the Electron main process. There was an issue with some releases where the event handlers were being registered multiple times causing issues. That may only be fixed in the newer releases on GitHub not the stable release on the homepage.


I’ve tested the SSO with the Pritunl Client v1.3.3477.58, and the URL which open automatically is still trying to connect to the public domain on the default HTTPS port (https://publicdomain/xxx).
Can you confirm this is considered as a bug, because the URL should include the Web Console port when it is different to 443 ?
Also, like mentioned on my first post, I think it should be more relevant to include the sync domain address rather the public domain. And for the sync address, it is also possible to directly include the domain in the config.


For single sign-on connections that URL is set by the Connection Single Sign-On Domain in the top right settings. This should include the external web server port.