Hello,
Hope you are doing good.
Recently I’ve activated the trial version for vpn server in order to evaluate it as a replacement for our current vpn solution.

One of AC is the SSO integration with our IDP - keycloak.
I know that you are not supporting integration officially however other people experience here makes me think that it is possible.

It looks like after initial SAML configuration the auth request is not reaching the IDP server i.e. it fails on the Pritunl server side:

=========================
[autumn-skies-2901][2025-03-17 15:48:59,195][ERROR] Saml auth server error
status_code = 500
content = “b’'”
Traceback (most recent call last):
File “/usr/lib/pritunl/usr/lib/python3.9/threading.py”, line 937, in _bootstrap
self._bootstrap_inner()
File “/usr/lib/pritunl/usr/lib/python3.9/threading.py”, line 980, in _bootstrap_inner
self.run()
File “/usr/lib/pritunl/usr/lib/python3.9/site-packages/cheroot/workers/threadpool.py”, line 120, in run
keep_conn_open = conn.communicate()
File “/usr/lib/pritunl/usr/lib/python3.9/site-packages/cheroot/server.py”, line 1287, in communicate
req.respond()
File “/usr/lib/pritunl/usr/lib/python3.9/site-packages/cheroot/server.py”, line 1077, in respond
self.server.gateway(self).respond()
File “/usr/lib/pritunl/usr/lib/python3.9/site-packages/cheroot/wsgi.py”, line 136, in respond
response = self.req.server.wsgi_app(self.env, self.start_response)
File “/usr/lib/pritunl/usr/lib/python3.9/site-packages/flask/app.py”, line 2213, in call
return self.wsgi_app(environ, start_response)
File “/usr/lib/pritunl/usr/lib/python3.9/site-packages/flask/app.py”, line 2190, in wsgi_app
response = self.full_dispatch_request()
File “/usr/lib/pritunl/usr/lib/python3.9/site-packages/flask/app.py”, line 1484, in full_dispatch_request
rv = self.dispatch_request()
File “/usr/lib/pritunl/usr/lib/python3.9/site-packages/flask/app.py”, line 1469, in dispatch_request
return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)
File “/usr/lib/pritunl/usr/lib/python3.9/site-packages/pritunl/auth/app.py”, line 26, in _wrapped
return call(*args, **kwargs)
File “/usr/lib/pritunl/usr/lib/python3.9/site-packages/pritunl/handlers/sso.py”, line 447, in sso_request_get
logger.error(‘Saml auth server error’, ‘sso’,
File “/usr/lib/pritunl/usr/lib/python3.9/site-packages/pritunl/logger/init.py”, line 55, in error
kwargs[‘traceback’] = traceback.format_stack()

The os is: amazon linux 2023(with SELinux support).
Enabling / disabling SELinux makes no difference.

My knowledge is not enough to understand the problem or I overlooked something. Could you please point the direction for the troubleshooting or maybe give a hint about the possible solution of this problem?
Thank you.

Currently only the listed SAML providers are tested and supported. Each SAML provider typically has a different implementation that requires specific changes to support.

Hello Zach,
Thank you for the reply.
I understand that it requires specific implementation, but for me this error looks like the Pritunl server itself fails to build the saml request.

This error:

status_code = 500

content = “b’'”

Does not give any extra information where the exact error is.

From the configuration point of view:
I chose SAML from the Single sign on dropdown menu and filled all required fields for this option

image420×143 3.42 KB

Should not it at least do the auth request attempt to the IDP server and fail there?
(at least it looks logical for me. But it fails on the Pritunl side)
That what I want to understand. Why it trows the error instead making the request ?..