openconnect with SAML and GlobalProtect

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi there. My place of employment recently deployed a Palo Alto
GobalProtect device. It's set up with SAML and Two-Factor
authentication. Looking through a bunch of posts on the internet
including:
https://github.com/dlenski/openconnect/blob/globalprotect/PAN_GlobalProtect_protocol_doc.md
    https://github.com/dlenski/openconnect/issues/149
    https://github.com/dlenski/gp-saml-gui/
    http://www.infradead.org/openconnect/globalprotect.html

I got to the point where I can go through the following:

- Go to https://vpn.example.com/global-protect/prelogin.esp
- Follow the login SAML trail back to https://vpn.example.com/SAML20/SP/ACS
    + See the result in that response (formatted for readability):
      <html><body>Login Successful!</body>
          <!-- <saml-auth-status>1</saml-auth-status>
<prelogin-cookie>C4xyzzyxyzzy...</prelogin-cookie>
<saml-username>joe@xxxxxxxxxxx</saml-username>
               <saml-slo>no</saml-slo>
          -->
      </html>
- Go to https://vpn.example.com/global-protect/getconfig.esp, passing
  in the user=joe@xxxxxxxxxxx and prelogin-cookie=C4xyzzyxyzzy...
  which gives me a big XML file, which includes towards the end
<portal-userauthcookie>ABCAverylargestringindeed=</portal-userauthcookie>
<portal-prelogonuserauthcookie>empty</portal-prelogonuserauthcookie>
<scep-cert-auth-cookie>XyzzYAShorterstring==</scep-cert-auth-cookie>

But now I'm stuck. What magic incarnation of the openconnect command
line do I use now?

I tried (with different cookies):
    cookie="ABCAverylargestringindeed="
    echo "$cookie" | \
    sudo openconnect --protocol=gp --usergroup
    portal:portal-userauthcookie \
    --user=joe@xxxxxxxxxxx vpn.example.com

    echo "$cookie" | \
    sudo openconnect --protocol=gp --user='joe@xxxxxxxxxxx'
    --os=win --usergroup=prelogin-cookie:gateway
    --passwd-on-stdin vpn.example.com

But it seems to fail with 'Unexpected 512 result from server' and
still want to go to
   'POST https://vpn.example.com/global-protect/getconfig.esp'

Sorry for the rather basic question, but I haven't found what to do next
anywhere I looked.

Thanks!

Michel


_______________________________________________
openconnect-devel mailing list
openconnect-devel@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/openconnect-devel
[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux