We are trying to setup saml authentication with okta and so far it works ok. However passing of groups it seems not be possible. Looking into the documentation it seems that mapping is done from okta attribute to organization in pritunl. However passing on groups is not supported.
I’ve checked the git repo and in this file user.py it seems we have the group option available for google and azure, but not for okta. Is this correct ? Are we able to pass groups from okta to pritunl as part of the saml authentication ?
@zach Could you please elaborate more on the exact configuration? Is this done on Pritunl or on Okta configuration? Do you match okta groups to pritunl organisations or okta groups are matched to pritunl groups?
In Pritunl there is the SAML org attribute this can be used to provide a name of an organization that already exists in Pritunl to add that user to. Pritunl also has user groups, these can be set with the SAML groups attribute. This is a comma separated list of user groups that will be added to the user.
Pritunl Zero and Pritunl Cloud use only roles. The SAML attribute roles will provide a comma separated list of roles to apply to that user.
Thank you. I got it and it worked. For config reference, I’ve added the following expression in okta attributes:
Admin console > applications > applications > ‘name of the saml application: pritunl-vpn’ > ‘sign on’ tab > ‘Attribute statements’ field > ‘Add expression’ button
Name: groups
expression: user.isMemberOf({‘group.id’: ‘the-id-of-the-okta-group’}) ? “name-of-pritunl-group1” : “name-of-pritunl-group2”
When the user is created in pritunl it is tagged with ‘name-of-pritunl-group1’ if the identity is a member of ‘the-id-of-the-okta-group’ in okta. If the okta identity is not a member of ‘the-id-of-the-okta-group’ in okta, then the created pritunl user is tagged with ‘name-of-pritunl-group2’. Then these pritunl groups can be associated with different servers.