On Tue, 2018-10-30 at 16:54 -0500, Andy Wang wrote: > I was, up until very recently, using openconnect and > NetworkManager-openconnect to connect to my work VPN. I had a private > hack to make the stoken stuff work (it was submitted in an email on > this list) as well as another hack to deal with our token form not > having the same expected form type. Remind me of those please. As I prepare for the 8.0 release it would be good to pull those in unless they're completely horrible hacks specific to your setup. > A couple of weeks ago we moved to a whole new login flow, where we now > are redirected to a saml login page for authentication and then > prompted to choose one of two types of MFA access - token code or > mobile application notification based. > > With the more complicated flow I've had to switch back to the pulse > secure client which embeds a webkitgtk UI to handle those flows. > > Just curious but is there anyone working on some similar flow support > with NetworkManager-openconnect? I'm guessing that this type of > authentication is way outside of the scope of openconnect's built in > html client. (Pulse Secure's cli client can't handle this login flow > either). It's been talked about, repeatedly :) The first step is to add a 'webview' callback method which the GUI authentications can implement, which bypasses the current hackish HTML screen-scraping. That much is relatively easy, in fact, but then we'd need to do the WebKitGtk stuff inside the NetworkManager auth-dialog for GNOME and KDE, etc. If there's a volunteer for the latter, I could certainly put together the former. I'm just not that keen on throwing together the API change for the webview callback without properly testing it. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5213 bytes Desc: not available URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20181104/9327a9d5/attachment.bin>
