Okta-Pritunl deprovisioning

ppn · November 28, 2023, 7:42am

Hi,
We have Pritunl Enterprice connected with Okta via Pritunl app in Okta.

Some of our employees use OpenVPN Connect, some Pritunl Client.
Correct workflow of deactivation the user who connected with Pritunl client:

User in Okta deactivated,
Active Pritunl VPN connection drops and user can’t connect to our VPN,
Profit.

Incorrect workflow with OpenVPN Connect:

User in Okta deactivated,
Active OpenVPN Connect connection still active and healthy. Only when the user manually disconnects, they can’t reconnect. Update: default time is 60 minutes (app.sso_connection_check_ttl)

Right now I have only ability to manually drop connection by deleting him or push “Disable and disconnect user” button in admin dashboard.

Can it somehow be configured to automatically drop active connections when employee deactivated in Okta?

Thanks!

ppn · November 29, 2023, 6:54am

I found this in release notes, and the question is - can it be changed to less than 30 minutes?

ppn · November 29, 2023, 11:26am

Solved by executing this command:

sudo pritunl set app.sso_connection_check_ttl xxxxx

where xxxxx - time in seconds.

Actual setting can be checked with this command:

sudo pritunl get app.sso_connection_check_ttl

zach · November 30, 2023, 7:00pm

The single sign-on check during connection is only available in recent releases. This will re-sync the single sign-on user status at the interval set by app.sso_connection_check_ttl. It is enabled by default at a 1 hour interval. Reducing this interval may cause API limit errors from the single sign-on provider.