Pritunl API /organization Returns 200 OK with HTML/SSO Page (Not JSON) for External HMAC Authenticated Requests

Pritunl Pritunl VPN
1

Hi Pritunl Community,

We are developing a Slack application using an AWS Lambda function to interact with our Pritunl server’s API (Pritunl Enterprise v1.32.4089.16). We are using the standard HMAC-SHA256 authentication.

The Issue:

Our Lambda function needs to retrieve a list of organizations by making a GET request to the /organization endpoint on our Pritunl server, accessible via https://vpn.mycompany.com/ (example URL).

When the Lambda function (external IP) makes this HMAC-authenticated request to https://vpn.mycompany.com/organization:

  • The server responds with a 200 OK status.
  • However, the Content-Type of the response is text/html.
  • The actual response body is an HTML page for our Google SSO login, not the expected JSON array of organizations.
  • This occurs even when the Accept: application/json header is included in the request.
  • The requests library in Python (with allow_redirects=True) confirms the final response is this HTML page.

This causes our application to fail as it cannot parse HTML as JSON.

Observations:

  1. External vs. Local Behavior:

    • Lambda (External): GET https://vpn.mycompany.com/organization with HMAC headers (and Accept: application/json) → Receives 200 OK with HTML (Google SSO login page).
    • Debug Script (Local): A Python script using the exact same HMAC authentication logic, when run directly on the Pritunl server and accessing https://localhost/organization → Correctly receives 200 OK with the JSON list of organizations.

  2. Authentication Method: Standard Pritunl API HMAC-SHA256 authentication.

Our Goal: We need the /organization API endpoint to return JSON data directly when called with valid HMAC API credentials from our AWS Lambda function, bypassing any SSO login page.

Question for the Community:

  • How can we configure Pritunl (and/or Pritunl Zero, if applicable) so that the /organization endpoint (and other API endpoints) consistently return JSON to HMAC-authenticated external clients, instead of a 200 OK with an HTML SSO page?
  • Why would the API endpoint return 200 OK with HTML for an authenticated API request, rather than either the JSON data or a redirect (e.g., 302) if SSO is being enforced inappropriately?
  • Are there specific configurations or best practices for enabling direct API access via HMAC when a user-facing SSO (like Google) is also configured for the Pritunl web UI?

Any insights or guidance on resolving this API response behavior would be immensely helpful.

Thanks!