Okta SSO authentication fails - Failed secondary authentication

sk-gretar · January 29, 2024, 1:54pm

Greetings!

I’m working on setting up a Pritunl VPN with Single Sign-On using Okta. I’ve managed to set up all the SSO-related information and authentication is working fine on the web interface.
When I try authenticating to a VPN server using SSO I get a Failed to authenticate to <server> error in the client and the following error in the VPN server logs:

ERROR User open ovpn failed "Failed secondary authentication"

This error also shows up in the Pritunl host logs:

[hostname][2024-01-29 14:13:34,801][WARNING] Okta user is not assigned to application
  username    = "user@corporation.org"
  okta_app_id = "j234gkj3g24jkhgk2hg34jh"
  user_id     = "b8v9cb8c9b89cvb89cvb"

It doesn’t matter what I select as the Okta Second Factor, authenticating doesn’t trigger a push to Fastpass or a prompt for a MFA code.

The authentication seems to work fine apart from that, it correctly opens up a browser where I authenticate to Okta and it shows me a Successfully authenticated connection message when I’ve authenticated.

I can get around the error in the logs and authenticate successfully if I edit the user and check the Bypass Secondary Authentication checkbox under the advanced settings. I however don’t want to do that for each user.

The client is the Pritunl client on macOS 14.3.

zach · January 29, 2024, 6:04pm

This is likely from setting the incorrect Okta App ID in the top right settings. Check the Okta single sign-on documentation. The option can be left blank to disable the check. This will cause only the status of the user to be checked, this will verify the user is not disabled or deleted in Okta.

sk-gretar · January 30, 2024, 10:30am

Thanks for the quick reply, it was indeed the Okta app ID. I updated it with the correct ID and it’s working fine now!

meoptimusprime · February 21, 2024, 9:02am

I am also facing the same issue however the the option is blank in pritunl server.

zach · February 21, 2024, 4:46pm

It’s not possible to get the error Okta user is not assigned to application if the Okta App ID is empty. pritunl/pritunl/sso/okta.py at master · pritunl/pritunl · GitHub

meoptimusprime · February 26, 2024, 1:57pm

Okta App id is empty, also the user is assigned to the application in okta, once i disable secondary authentication, it works.