Migrate Pritunl Azure SSO to Microsoft Graph API #484
Conversation
|
This wouldn't be compatible with existing configurations. All users currently have only the Azure Active Directory Graph API permissions configured. This change would break all existing configurations. A migration to the new API will be added in a future release. |
|
@zachhuff386 can you show where this was added instead, so it does indeed get actioned ASAP? we really need this, this is NOT really an "optional" improvement, this is a MUST do. @sgrzemski Szymon is the SSO provider in pritunl FREE, or is this functionality dependant on having some sort of ongoing subscription with or for pritunl ? |
|
@TheBigBear yes, it's in paid Enterprise plan. |
|
Apparently the Enterprise subscription still doesn't support Microsoft Graph API. |
|
An update for the new Azure API will be available in the unstable repository in a few hours. The command |
|
Thanks Zach. Using the unstable repo and enabling the new API worked like a charm. |
@zachhuff386 I updated to sudo pritunl set app.sso_azure_version 2, but still getting same error with MS Graph API. |
|
It worked. |
|
For everyone who struggles the same issue on AWS Linux:
|
Hello Pritunl developers,
Azure AD Graph API is deprecated. Pritunl has to be switched to use Microsoft Graph API.
Previously, Pritunl required Directory.Read.All API permission, which was excessive and potentially vulnerable. It might be also a problem when working with big AD sets. I have introduced the new API url, fixed all request params and changed the logic of getting user groups to match new Microsoft Graph API.
Thank you in advance,
Szymon