Michel wrote: > - Go to https://vpn.example.com/global-protect/getconfig.esp, passing > in the user=joe@xxxxxxxxxxx and prelogin-cookie=C4xyzzyxyzzy... > which gives me a big XML file, which includes towards the end > <portal-userauthcookie>ABCAverylargestringindeed=</portal-userauthcookie> > <portal-prelogonuserauthcookie>empty</portal-prelogonuserauthcookie> > <scep-cert-auth-cookie>XyzzYAShorterstring==</scep-cert-auth-cookie> Quite honestly, count me as impressed that you managed to do the whole SAML authentication "by hand." (It's a confusing pain, isn't it?) Since you clearly know what you're doing here more than most users who attempt it, hopefully you'll be able to give us some insightful feedback on what does/doesn't work in the scripts that automate this… :-D > But now I'm stuck. What magic incarnation of the openconnect command line do I use now? OpenConnect doesn't (yet) have the ability to handle the SAML authentication by itself, so you need a helper script. I'm partial to https://github.com/dlenski/gp-saml-gui/ because (a) it can log what it's doing in a way that makes sense to the OpenConnect developers and (b) it uses the same output format as `openconnect --authenticate`, and (c) I wrote it, whence (a). There are several more GUI-friendly wrappers too. I'd recommend @yuezk's https://github.com/yuezk/GlobalProtect-openconnect -Dan On Thu, May 21, 2020 at 3:47 AM Michel <stoomboot@xxxxxxxxxxxxxx> wrote: > > Hi there. My place of employment recently deployed a Palo Alto > GobalProtect device. It's set up with SAML and Two-Factor > authentication. Looking through a bunch of posts on the internet > including: > https://github.com/dlenski/openconnect/blob/globalprotect/PAN_GlobalProtect_protocol_doc.md > https://github.com/dlenski/openconnect/issues/149 > https://github.com/dlenski/gp-saml-gui/ > http://www.infradead.org/openconnect/globalprotect.html > > I got to the point where I can go through the following: > > - Go to https://vpn.example.com/global-protect/prelogin.esp > - Follow the login SAML trail back to https://vpn.example.com/SAML20/SP/ACS > + See the result in that response (formatted for readability): > <html><body>Login Successful!</body> > <!-- <saml-auth-status>1</saml-auth-status> > <prelogin-cookie>C4xyzzyxyzzy...</prelogin-cookie> > <saml-username>joe@xxxxxxxxxxx</saml-username> > <saml-slo>no</saml-slo> > --> > </html> > - Go to https://vpn.example.com/global-protect/getconfig.esp, passing > in the user=joe@xxxxxxxxxxx and prelogin-cookie=C4xyzzyxyzzy... > which gives me a big XML file, which includes towards the end > <portal-userauthcookie>ABCAverylargestringindeed=</portal-userauthcookie> > <portal-prelogonuserauthcookie>empty</portal-prelogonuserauthcookie> > <scep-cert-auth-cookie>XyzzYAShorterstring==</scep-cert-auth-cookie> > > But now I'm stuck. What magic incarnation of the openconnect command > line do I use now? > > I tried (with different cookies): > cookie="ABCAverylargestringindeed=" > echo "$cookie" | \ > sudo openconnect --protocol=gp --usergroup > portal:portal-userauthcookie \ > --user=joe@xxxxxxxxxxx vpn.example.com > > echo "$cookie" | \ > sudo openconnect --protocol=gp --user='joe@xxxxxxxxxxx' > --os=win --usergroup=prelogin-cookie:gateway > --passwd-on-stdin vpn.example.com > > But it seems to fail with 'Unexpected 512 result from server' and > still want to go to > 'POST https://vpn.example.com/global-protect/getconfig.esp' > > Sorry for the rather basic question, but I haven't found what to do next > anywhere I looked. > > Thanks! > > Michel > > > _______________________________________________ > openconnect-devel mailing list > openconnect-devel@xxxxxxxxxxxxxxxxxxx > http://lists.infradead.org/mailman/listinfo/openconnect-devel _______________________________________________ openconnect-devel mailing list openconnect-devel@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/openconnect-devel
