Okta SSO authentication fails - Failed secondary authentication


I’m working on setting up a Pritunl VPN with Single Sign-On using Okta. I’ve managed to set up all the SSO-related information and authentication is working fine on the web interface.
When I try authenticating to a VPN server using SSO I get a Failed to authenticate to <server> error in the client and the following error in the VPN server logs:

ERROR User open ovpn failed "Failed secondary authentication"

This error also shows up in the Pritunl host logs:

[hostname][2024-01-29 14:13:34,801][WARNING] Okta user is not assigned to application
  username    = "user@corporation.org"
  okta_app_id = "j234gkj3g24jkhgk2hg34jh"
  user_id     = "b8v9cb8c9b89cvb89cvb"

It doesn’t matter what I select as the Okta Second Factor, authenticating doesn’t trigger a push to Fastpass or a prompt for a MFA code.

The authentication seems to work fine apart from that, it correctly opens up a browser where I authenticate to Okta and it shows me a Successfully authenticated connection message when I’ve authenticated.

I can get around the error in the logs and authenticate successfully if I edit the user and check the Bypass Secondary Authentication checkbox under the advanced settings. I however don’t want to do that for each user.

The client is the Pritunl client on macOS 14.3.

This is likely from setting the incorrect Okta App ID in the top right settings. Check the Okta single sign-on documentation. The option can be left blank to disable the check. This will cause only the status of the user to be checked, this will verify the user is not disabled or deleted in Okta.

1 Like

Thanks for the quick reply, it was indeed the Okta app ID. I updated it with the correct ID and it’s working fine now!

I am also facing the same issue however the the option is blank in pritunl server.

It’s not possible to get the error Okta user is not assigned to application if the Okta App ID is empty. pritunl/pritunl/sso/okta.py at master · pritunl/pritunl · GitHub

Okta App id is empty, also the user is assigned to the application in okta, once i disable secondary authentication, it works.