I’m working on setting up a Pritunl VPN with Single Sign-On using Okta. I’ve managed to set up all the SSO-related information and authentication is working fine on the web interface.
When I try authenticating to a VPN server using SSO I get a
Failed to authenticate to <server> error in the client and the following error in the VPN server logs:
ERROR User open ovpn failed "Failed secondary authentication"
This error also shows up in the Pritunl host logs:
[hostname][2024-01-29 14:13:34,801][WARNING] Okta user is not assigned to application
username = "email@example.com"
okta_app_id = "j234gkj3g24jkhgk2hg34jh"
user_id = "b8v9cb8c9b89cvb89cvb"
It doesn’t matter what I select as the
Okta Second Factor, authenticating doesn’t trigger a push to Fastpass or a prompt for a MFA code.
The authentication seems to work fine apart from that, it correctly opens up a browser where I authenticate to Okta and it shows me a
Successfully authenticated connection message when I’ve authenticated.
I can get around the error in the logs and authenticate successfully if I edit the user and check the
Bypass Secondary Authentication checkbox under the advanced settings. I however don’t want to do that for each user.
The client is the Pritunl client on macOS 14.3.