> OK, I'll take another look at the gp-saml-gui code to see how it performs > that last step, or uses the script. I see. Sorry, I missed that you had already tried gp-saml-gui (🤦♂️). You may need to try --usergroup=gateway:prelogin-cookie instead of portal in the last step. (I noticed that you tried --usergroup=prelogin-cookie:gateway, which is backwards, so that definitely won't work.) If *that* doesn't work, try building with @yuezk's recent patch (https://gitlab.com/openconnect/openconnect/-/merge_requests/109), which will let you authenticate to the portal and then pass whatever cookies it gets through to the gateway. This appears to work on *some GP servers* with SAML, but not others. Bottom line is that I believe we fully understand how to inject the SAML cookies into the gateway if the *gateway* does SAML, but we don't fully understand how to do SAML authentication to the portal and then get the portal to pass the cookies to the gateway, if you have to do the SAML authentication to the portal. On Thu, May 21, 2020 at 12:53 PM Michel van der List <stoomboot@xxxxxxxxxxxxxx> wrote: > > (Grumble. Thunderbird really doesn't like plain text, my apologies if this > comes out poorly). > > I guess I really just figured since I did the login dance already, I just > need to coerce openconnect (somehow) with the data in that XML file. > > Perhaps I did not make this very clear in the original post, I actually > have this automated with some silly python and zenity, so I was hoping the > last step would just be 'run openconnect passing this XML/data/whatever'. > > OK, I'll take another look at the gp-saml-gui code to see how it performs > that last step, or uses the script. > > Thanks, Michel > > On 5/21/20 3:05 PM, Daniel Lenski wrote: > > Michel wrote: > >> - Go to https://vpn.example.com/global-protect/getconfig.esp, passing > >> in the user=joe@xxxxxxxxxxx and prelogin-cookie=C4xyzzyxyzzy... > >> which gives me a big XML file, which includes towards the end > >> > <portal-userauthcookie>ABCAverylargestringindeed=</portal-userauthcookie> > >> <portal-prelogonuserauthcookie>empty</portal-prelogonuserauthcookie> > >> <scep-cert-auth-cookie>XyzzYAShorterstring==</scep-cert-auth-cookie> > > > > Quite honestly, count me as impressed that you managed to do the whole > > SAML authentication "by hand." (It's a confusing pain, isn't it?) > > > > Since you clearly know what you're doing here more than most users who > > attempt it, hopefully you'll be able to give us some insightful > > feedback on what does/doesn't work in the scripts that automate this… > > :-D > > > >> But now I'm stuck. What magic incarnation of the openconnect command > line do I use now? > > > > OpenConnect doesn't (yet) have the ability to handle the SAML > > authentication by itself, so you need a helper script. > > > > I'm partial to https://github.com/dlenski/gp-saml-gui/ because (a) it > > can log what it's doing in a way that makes sense to the OpenConnect > > developers and (b) it uses the same output format as `openconnect > > --authenticate`, and (c) I wrote it, whence (a). > > > > There are several more GUI-friendly wrappers too. I'd recommend > > @yuezk's https://github.com/yuezk/GlobalProtect-openconnect > > > > -Dan > > > > > _______________________________________________ > openconnect-devel mailing list > openconnect-devel@xxxxxxxxxxxxxxxxxxx > http://lists.infradead.org/mailman/listinfo/openconnect-devel _______________________________________________ openconnect-devel mailing list openconnect-devel@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/openconnect-devel
