Setting up Keycloak and Pritunl Enterprise causes a massive attack on the engineers butt

catdisaster · April 8, 2025, 8:53am

Let me provide more context for a constructive discussion.

I’m using the latest Pritunl VPN version with a purchased Enterprise subscription. This is important: I chose Pritunl not only because I love the platform, but also because I specifically needed SAML integration with Keycloak.

I discovered that custom SAML is supported, which sounded great at first. So what’s the problem, you might ask?

The Setup

I configured a SAML client in Keycloak.
Authentication from Keycloak to Pritunl seems to initiate properly.
However, after successful authentication, Keycloak redirects me back to Pritunl at the endpoint: https:///sso/callback
It appends query parameters such as:
- state
- username
- email
- org
- secondary
- groups
- roles
- sig

But this request returns an HTTP 415 (Unsupported Media Type) error.

What I’ve Tried

I’ve mapped the necessary attributes in Keycloak (username, email, roles, etc.).
I confirmed that Keycloak is indeed sending all the expected parameters.
Still, I end up facing the dreaded 415 response.

The Big Question

Is there official documentation or even an unofficial guide that clearly lists the required SAML attributes for Pritunl’s custom SAML integration?

I’d love to understand:

What exact attributes does Pritunl expect?
What format should the SAML assertion follow?
Is this 415 error due to a mismatch in expected Content-Type, or is it related to a missing/invalid SAML attribute?

Any guidance or links to documentation would be greatly appreciated.

Thanks in advance!

zach · April 8, 2025, 2:09pm

Only the listed SAML providers are supported and tested. Each SAML implementation is often different requiring unique code changes and I’ve never tested Keycloak.

andrii · April 11, 2025, 12:42pm

On our setup, we managed to use generic SAML with keycloak.

The only weird thing I had to do is adding “-----BEGIN CERTIFICATE-----” and end certificate around the “SAML Certificate”.

Otherwise make sure you are using POST binding and I guess you already figured out you need to set redirect URL to https://auth.pritunl.com/v1/callback/saml, not directly to VPN host.

catdisaster · April 11, 2025, 12:55pm

could you please share your keycloak client config? especially mappers i think

andrii · April 14, 2025, 12:05pm

I discovered a third-party repo that is pretty much documenting it:

github.com/sample/pritunl-keycloak-user-check

PRITUNL-SAML-KEYCLOAK-INTEGRATION.md

main

# How to Configure Pritunl and Keycloak Integration

This guide details the steps required to configure Keycloak and integrate it with Pritunl Enterprise, including optional configuration for the pritunl-keycloak-user-check.

### Table of Contents

1. Configure Keycloak
2. Configure Pritunl Enterprise to Use Keycloak
3. Optional: Configure pritunl-keycloak-user-check

## Configure Keycloak

Set up a new client in Keycloak with the following example configuration:

### Client Configuration:

1. Client Type: *SAML*
2. Client ID: *pritunl*
3. Name: *Pritunl SSO Client*
4. Valid Redirect URIs: *https://auth.pritunl.com/v1/callback/saml*

This file has been truncated. show original

My setup is only different as we are using Name ID Format: username instead of email.

In mappers I only have “email” and roles mapper that advertises client roles as “groups” attribute that is further used to filter access to Servers in Pritunl. You can also define “org” for Organization.

In general will be super nice to have an official support for Keycloak, preferably via OIDC, including the user existence check, like in the referred plugin. Many people relying on Keycloak on-prem nowadays. We will be interested to test even some pre-release version.

zach · April 14, 2025, 2:11pm

OpenID support will be added, I did start writing some code for it but currently other features are being developed. There’s no plan for when it will be completed.