Okta SSO: how to sync removing user from group

I’ve set up group synchronization from Okta to Pritunl. I’m using group attributes in SAML integration to send info about group membership. Works great when adding user to groups.
However, I’m wondering if it is possible somehow to also tell Pritunl to remove user from a particular group?

If I understand that correctly, it would have to work like this:

  • receive new SAML request, check what groups are present in it
  • if user is a member of a group that’s not present in SAML request, and group wasn’t assigned manually in Pritunl → remove user from that group


The groups should be updated. There are some older releases that didn’t but this was changed to replace the groups on every SAML authentication. The SAML authentication only occurs when logging in to the web console and on connection only if single sign-on connection authentication is enabled. It will replace all the users groups including manual modifications.

Thanks @zach <3
I’m running the following now:

  • server: pritunl-1.30.3354.99-1.el8.oraclelinux.x86_64
  • client: 1.3.3484.2

Single Sign-On Authentication is checked in server settings.
I see there is newer version of Pritunl server – do you think the one I’m using should be fine for that feature to work? I’ll plan upgrade nonetheless of course.

The first release to include this group change was v1.30.3388.46

1 Like

I confirm it is working after I’ve upgraded pritunl server. Awesome, thanks a lot <3