> You may need to try --usergroup=gateway:prelogin-cookie instead of
> portal in the last step. (I noticed that you tried
> --usergroup=prelogin-cookie:gateway, which is backwards, so that
> definitely won't work.)
OK, so I now did my SAML dance and got the cookie from the SAML
response from the VPN (i.e. <portal-userauthcookie>). I then did
(I tried both that cookie and the perauth-cookie):
# echo "$cookie" | \
sudo openconnect --verbose --passwd-on-stdin --protocol=gp \
--usergroup=gateway:prelogin-cookie --user=joe@xxxxxxxxxxx
vpn.example.com
POST
https://vpn.example.com/ssl-vpn/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Linux
Attempting to connect to server 1.2.3.251:443
Connected to 1.2.3.251:443
SSL negotiation with vpn.example.com
Connected to HTTPS on vpn.example.com with ciphersuite
(TLS1.2)-(RSA)-(AES-256-GCM)
Got HTTP response: HTTP/1.1 200 OK
Date: Thu, 21 May 2020 20:16:40 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 1909
Connection: keep-alive
ETag: "e185e9a5382"
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-FRAME-OPTIONS: DENY
Set-Cookie: CLIENTOS=TGludXg%3D; expires=Fri, 22-May-2020 20:16:40
GMT; path=/
Set-Cookie: PHPSESSID=fd242eddc8c24b4998fa84453ba87586; secure;
HttpOnly
Set-Cookie: PHPSESSID=fd242eddc8c24b4998fa84453ba87586; secure;
HttpOnly
Set-Cookie: PHPSESSID=fd242eddc8c24b4998fa84453ba87586; secure;
HttpOnly
Set-Cookie: PHPSESSID=fd242eddc8c24b4998fa84453ba87586; secure;
HttpOnly
Set-Cookie: PHPSESSID=fd242eddc8c24b4998fa84453ba87586; secure;
HttpOnly
Set-Cookie: PHPSESSID=fd242eddc8c24b4998fa84453ba87586; secure;
HttpOnly
Set-Cookie: PHPSESSID=fd242eddc8c24b4998fa84453ba87586; secure;
HttpOnly
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block;
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self'
'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
HTTP body length: (1909)
Destination form field POST was specified; assuming SAML
prelogin-cookie authentication is complete.
Enter login credentials
POST https://vpn.example.com/ssl-vpn/login.esp
Got HTTP response: HTTP/1.1 512 Custom error
Date: Thu, 21 May 2020 20:16:40 GMT
Content-Type: text/html
Content-Length: 128
Connection: keep-alive
ETag: "23605e9a5382"
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
x-private-pan-sslvpn: auth-failed
x-private-pan-sslvpn-extension: auth-failed-password-empty
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-FRAME-OPTIONS: DENY
Set-Cookie: PHPSESSID=fd242eddc8c24b4998fa84453ba87586; secure;
HttpOnly
Set-Cookie: PHPSESSID=fd242eddc8c24b4998fa84453ba87586; secure;
HttpOnly
HTTP body length: (128)
Unexpected 512 result from server
Enter login credentials
Username: fgets (stdin): Resource temporarily unavailable
> If *that* doesn't work, try building with @yuezk's recent patch
> (https://gitlab.com/openconnect/openconnect/-/merge_requests/109),
> which will let you authenticate to the portal and then pass whatever
> cookies it gets through to the gateway. This appears to work on *some
> GP servers* with SAML, but not others.
OK, that will take a bit. I was just using the 'bog standard' Fedora
delivered openconnect :-).
> Bottom line is that I believe we fully understand how to inject the
> SAML cookies into the gateway if the *gateway* does SAML, but we don't
> fully understand how to do SAML authentication to the portal and then
> get the portal to pass the cookies to the gateway, if you have to do
> the SAML authentication to the portal.
I can circle back to the gp-saml-gui code as well, now that I have a
better handle on the SAML dance.
Thanks a ton for all the help so far, Michel
_______________________________________________
openconnect-devel mailing list
openconnect-devel@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/openconnect-devel
