Single sign on with Duo Security
New Tutorial Available
A new tutorial is available here https://docs.pritunl.com/docs/duo
Controlling access to Pritunl on large enterprise deployments can be difficult requiring manually adding users or integrating with the api. Single sign-on can be used to simplify access to Pritunl by allowing users to use an existing account with Duo Security to login to Pritunl. With Duo single single-on users can use their phone to authenticate with the Pritunl web console to download their vpn keys. The user will also authorize each vpn connection with Duo. By default Duo Push will be used, if it is not available a phone callback will be used. A Pritunl enterprise license is required for single sign-on.
Setup Single Sign-On with Duo Security
Before enabling single sign-on with Duo access keys will need to be created. This can be done by logging into your Duo admin console and navigating to the Applications page. On the Applications page select Add an Application then select OpenVPN or Auth API. Once added locate the access keys in the Details section. You may also choose to change the name to Pritunl in the Settings.
Enable Duo Single Sign-On
Once you have created Duo access keys single sign-on can be enabled in the Pritunl web console. Open the settings dialog in the web console and select Duo Security as the Single Sign-On mode. Then fill in the Duo Integration Key, Duo Secret Key and Duo API Hostname with the details from the previous step. Then select the organization that will be used to add users that have authenticated with their Duo accounts. It is recommended to create a separate organization for single sign-on to prevent conflicts with existing user accounts. A Duo admin username may also be provided to improve the admin login security. When the Duo admin username is set a Duo push request will be sent to that Duo user when attempting to login to the web console as an administrator. If the admin username is set incorrectly or is inaccessible running the command pritunl reset-password will remove the Duo admin.
Once Duo single sign-on is enabled a button will appear at the login screen to authenticate with Duo. When a user selects Sign in with Duo they will be able to enter their Duo username and a push authentication request will be sent to their phone. If they allow the request they will be redirected to a page to download their vpn keys. If an email address is entered into the username an attempt will first be made to find the username if no user is found the text before the @ will then be used as their username. When a Duo user attempts to connect to a vpn server with their keys an additional push authentication request will be sent to their phone. This request will be sent each time they connect to the vpn server to ensure the user is securely authenticated.
It is possible to set a Duo users status as Bypass to skip authentication. This can be done to allow a user to connect to a vpn server without authenticating with Duo. Bypass cannot be used to download vpn keys if Duo is used as the only authentication method. If Google + Duo is used bypass can be used to download keys with only Google authentication.
Google + Duo
For additional security Google and Duo can be used for authentication. This will require the user to login with their Google account and authenticate with Duo when downloading vpn keys. Connections to the vpn server will only require Duo authentication. The users email address will be used as the username when authenticating with Duo.
The Duo validation filter can be modified for more detailed control over what users have access and what organization the user will be added to. Additional details and instructions for coding custom filters for Duo can be found on the Pritunl Github Repository.