Hello my friends (and you are my friends),
You may have noticed a recent post about integrating SSO and zero trust security with Fortinet. I loved my Fortis are my last job, but realize that some organizations operate within very different budgetary parameters. Pritunl is a great way to set up an SSL VPN, sans the expensive hardware (depending upon how you define expensive). You get a cloud-directory managed VPN box.
Why make you wait for the "how-to?" A full blog is in our queue, but here's the "meat". These steps focus on JumpCloud, but Pritunl has pre-built integrations for other authentication providers. The important thing is that you have good security.
The initial step is to create a custom SSO connector for Pritunl. JumpCloud provides hundreds of free connectors as part of your subscription, and is routinely adding more, so search for it before you move ahead with this project. Continue to the next section if one isn’t available.
Click the SSO button in the left frame of the administrative console and hit the “plus” sign to start a new SSO connection. Select “Customer SAML App” and begin by filling in the requisite information to label your connector and choose a color scheme and logo. More context is available in JumpCloud’s SAML how-to article should you have any additional requirements.
Then, navigate to the SSO tab and enter an Entity ID that’s unique to your organization’s environment. The settings on this screen are case-sensitive on both systems; any typo will result in errors and the integration will fail. Your Pritunl FQDNs and JumpCloud IDs may differ, but the fields should be formatted as outlined below:
Follow the URL/URI formats precisely
The redirect endpoint ensures that JumpCloud’s console will be used to log users into the VPN
Pritunl requires the “org” attribute for group memberships
Activate the JumpCloud SSO connector once you’re finished and download the certificate. You’ll be required to copy the key into Pritunl’s GUI in a later step.
Click on the User Groups tab and add the group(s) that should have access to the VPN service. The link below is a detailed guide for admins who are unfamiliar with using JumpCloud.
Group membership grants access rights to the VPN
Pritunl VPN will be available within the JumpCloud User Console
Pritunl has JumpCloud listed as an authentication provider. Pull down the list, select JumpCloud, and select “add provider” to start the process of filling in Identity Provider settings.
The settings will be identical to what you entered into the JumpCloud admin console. Cut and paste the certificate from a text editor when you open the certificate on your PC. This integration also requires a JumpCloud API key from your console, which will be outlined in the next section. Both of these entries are confidential and should be kept private and carefully controlled.
Your JumpCloud API key may be reviewed by clicking on your user icon at the top right of your console. Note: Generating a new key will revoke prior keys and could break prior integrations.
You’re now ready to test your configuration.
Strongly consider adding Zero Trust security controls with JumpCloud’s Conditional Access Policies. These policies extend security beyond strong passwords and MFA alone.
Policies are assigned to existing groups or you may create dedicated groups for your requirements. Different groups may have different policies (or no policies). Policies include:
Tip: Retest your connectivity prior to making changes that could adversely affect user access.
Hey we're using Pritunl! After some hiccups in the beginning it's a pretty nice VPN so far. The only qualm I have with it, is that after the user downloads their profile to the Pritunl client, the "Mandatory MFA" doesn't activate. It only forces MFA when you log into the web UI the first time. @JCDavid did you also run into this? Or am I misconfiguring something (very possible tbh)
This should help:
To set up MFA:
When you create a conditional access policy that requires MFA, users who are included in the policy but don’t have MFA set up are required to enroll in MFA the next time they log in to the User Portal.