Hello my friends (and you are my friends),
You may have noticed a recent post about integrating SSO and zero trust security with Fortinet. I loved my Fortis are my last job, but realize that some organizations operate within very different budgetary parameters. Pritunl is a great way to set up an SSL VPN, sans the expensive hardware (depending upon how you define expensive). You get a cloud-directory managed VPN box.
Why make you wait for the "how-to?" A full blog is in our queue, but here's the "meat". These steps focus on JumpCloud, but Pritunl has pre-built integrations for other authentication providers. The important thing is that you have good security.
JumpCloud Setup
The initial step is to create a custom SSO connector for Pritunl. JumpCloud provides hundreds of free connectors as part of your subscription, and is routinely adding more, so search for it before you move ahead with this project. Continue to the next section if one isn’t available.
Create a SAML Connector
Click the SSO button in the left frame of the administrative console and hit the “plus” sign to start a new SSO connection. Select “Customer SAML App” and begin by filling in the requisite information to label your connector and choose a color scheme and logo. More context is available in JumpCloud’s SAML how-to article should you have any additional requirements.
Then, navigate to the SSO tab and enter an Entity ID that’s unique to your organization’s environment. The settings on this screen are case-sensitive on both systems; any typo will result in errors and the integration will fail. Your Pritunl FQDNs and JumpCloud IDs may differ, but the fields should be formatted as outlined below:
Follow the URL/URI formats precisely
The redirect endpoint ensures that JumpCloud’s console will be used to log users into the VPN
Pritunl requires the “org” attribute for group memberships
Activate the JumpCloud SSO connector once you’re finished and download the certificate. You’ll be required to copy the key into Pritunl’s GUI in a later step.
Setup Groups and Permissions
Click on the User Groups tab and add the group(s) that should have access to the VPN service. The link below is a detailed guide for admins who are unfamiliar with using JumpCloud.
Group membership grants access rights to the VPN
Pritunl VPN will be available within the JumpCloud User Console
Pritunl SSO Setup
Pritunl has JumpCloud listed as an authentication provider. Pull down the list, select JumpCloud, and select “add provider” to start the process of filling in Identity Provider settings.
The settings will be identical to what you entered into the JumpCloud admin console. Cut and paste the certificate from a text editor when you open the certificate on your PC. This integration also requires a JumpCloud API key from your console, which will be outlined in the next section. Both of these entries are confidential and should be kept private and carefully controlled.
Your JumpCloud API key may be reviewed by clicking on your user icon at the top right of your console. Note: Generating a new key will revoke prior keys and could break prior integrations.
You’re now ready to test your configuration.
Add Zero Trust Security from JumpCloud
Strongly consider adding Zero Trust security controls with JumpCloud’s Conditional Access Policies. These policies extend security beyond strong passwords and MFA alone.
Policies are assigned to existing groups or you may create dedicated groups for your requirements. Different groups may have different policies (or no policies). Policies include:
- Geofencing: JumpCloud permits you to whitelist selected countries to access your VPN. Any devices that attempt to log in from locations that aren’t specified will be denied access. For instance, an employee may be attempting to access internal resources from unsecured hotel Wi-Fi while on vacation.
- Managed devices: Limit access exclusively to JumpCloud managed devices. This ensures that IAM isn’t allowing rogue devices into your network.
- Mandatory MFA: Users must prove who they say they are prior to accessing the VPN by entering a TOTP code or Push MFA through the JumpCloud Protect™ application. This extends MFA beyond initial device/session logins for additional assurance, which is advisable given the current threat landscape.
Tip: Retest your connectivity prior to making changes that could adversely affect user access.
