I would like to clarify if it’s possible to have a single user belong to more than one organization in Pritunl, or if in this case the best approach is to work with groups.
My scenario is the following:
I have different servers that must be accessed by people from different organizations.
To avoid adding many organizations to each server, I thought about creating one dedicated organization for this use case.
This way, some users would belong to two or more organizations at the same time.
My questions are:
How does Pritunl behave if a user is part of multiple organizations?
Would you recommend using groups instead to handle this type of scenario?
Is there any best practice for granting access to multiple servers across different organizations?
Users can only be in one organization. The groups mode can be used for more complex cases where multiple groups are needed. To do this delete all the organizations and create one organization. Set this organization as the default single sign-on organization in the top right settings then attach the organization to all servers. Then run the commands below. In each of the server settings add the groups that will be able to access that server. This can result in larger usage of IP address pools. Every user that is attached to a server will have a static IP assigned even if a group is not matched. The server virtual network subnet size should allow for this. For
SAML the attribute groups is used to set a comma separated list of groups.
sudo pritunl set app.sso_azure_mode '"groups"'
sudo pritunl set app.sso_authzero_mode '"groups"'
sudo pritunl set app.sso_google_mode '"groups"'