I have a self hosted version of Pritunl VPN (v1.32.4400.99), and am having an issue around Organisations and Groups. I’m not sure if this was working correctly before, or if I am misunderstaning something.
As I understand it If we attach an organisation to a server, and also attach a group (we are using Enterprise), then people should only have access if they belong to both the organistion AND the group. But at the moment just the organisation is giving them access.
Organizations are intended to be used as access groups. There is an additional groups option for more complex configurations where a user needs to be in multiple groups. This is primarily used with the single sign-on options below. Groups are only utilized if the server has groups configured. Once a server has groups configured all users connecting to that server must both be in an attached organization and also in at least one matching group.
The groups mode can be used for more complex cases where multiple groups are needed. To do this delete all the organizations and create one organization. Set this organization as the default single sign-on organization in the top right settings then attach the organization to all servers. Then run the commands below. In each of the server settings add the groups that will be able to access that server. This can result in larger usage of IP address pools. Every user that is attached to a server will have a static IP assigned even if a group is not matched. The server virtual network subnet size should allow for this. For SAML the attribute groups is used to set a comma separated list of groups.
sudo pritunl set app.sso_azure_mode ‘“groups”’
sudo pritunl set app.sso_authzero_mode ‘“groups”’
sudo pritunl set app.sso_google_mode ‘“groups”’