Re: openconnect with SAML and GlobalProtect

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> You may need to try --usergroup=gateway:prelogin-cookie instead of
> portal in the last step. (I noticed that you tried
> --usergroup=prelogin-cookie:gateway, which is backwards, so that
> definitely won't work.)

OK, so I now did my SAML dance and got the cookie from the SAML
response from the VPN (i.e. <portal-userauthcookie>). I then did
(I tried both that cookie and the perauth-cookie):

    # echo "$cookie" | \
        sudo openconnect --verbose --passwd-on-stdin --protocol=gp \
        --usergroup=gateway:prelogin-cookie --user=joe@xxxxxxxxxxx vpn.example.com     POST https://vpn.example.com/ssl-vpn/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Linux
    Attempting to connect to server 1.2.3.251:443
    Connected to 1.2.3.251:443
    SSL negotiation with vpn.example.com
    Connected to HTTPS on vpn.example.com with ciphersuite (TLS1.2)-(RSA)-(AES-256-GCM)
    Got HTTP response: HTTP/1.1 200 OK
    Date: Thu, 21 May 2020 20:16:40 GMT
    Content-Type: application/xml; charset=UTF-8
    Content-Length: 1909
    Connection: keep-alive
    ETag: "e185e9a5382"
    Pragma: no-cache
    Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    X-FRAME-OPTIONS: DENY
    Set-Cookie: CLIENTOS=TGludXg%3D; expires=Fri, 22-May-2020 20:16:40 GMT; path=/     Set-Cookie: PHPSESSID=fd242eddc8c24b4998fa84453ba87586; secure; HttpOnly     Set-Cookie: PHPSESSID=fd242eddc8c24b4998fa84453ba87586; secure; HttpOnly     Set-Cookie: PHPSESSID=fd242eddc8c24b4998fa84453ba87586; secure; HttpOnly     Set-Cookie: PHPSESSID=fd242eddc8c24b4998fa84453ba87586; secure; HttpOnly     Set-Cookie: PHPSESSID=fd242eddc8c24b4998fa84453ba87586; secure; HttpOnly     Set-Cookie: PHPSESSID=fd242eddc8c24b4998fa84453ba87586; secure; HttpOnly     Set-Cookie: PHPSESSID=fd242eddc8c24b4998fa84453ba87586; secure; HttpOnly
    Strict-Transport-Security: max-age=31536000;
    X-XSS-Protection: 1; mode=block;
    X-Content-Type-Options: nosniff
    Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
    HTTP body length:  (1909)
    Destination form field POST was specified; assuming SAML prelogin-cookie authentication is complete.
    Enter login credentials
    POST https://vpn.example.com/ssl-vpn/login.esp
    Got HTTP response: HTTP/1.1 512 Custom error
    Date: Thu, 21 May 2020 20:16:40 GMT
    Content-Type: text/html
    Content-Length: 128
    Connection: keep-alive
    ETag: "23605e9a5382"
    Pragma: no-cache
    Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    x-private-pan-sslvpn: auth-failed
    x-private-pan-sslvpn-extension: auth-failed-password-empty
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    X-FRAME-OPTIONS: DENY
    Set-Cookie: PHPSESSID=fd242eddc8c24b4998fa84453ba87586; secure; HttpOnly     Set-Cookie: PHPSESSID=fd242eddc8c24b4998fa84453ba87586; secure; HttpOnly
    HTTP body length:  (128)
    Unexpected 512 result from server
    Enter login credentials
    Username: fgets (stdin): Resource temporarily unavailable

> If *that* doesn't work, try building with @yuezk's recent patch
> (https://gitlab.com/openconnect/openconnect/-/merge_requests/109),
> which will let you authenticate to the portal and then pass whatever
> cookies it gets through to the gateway. This appears to work on *some
> GP servers* with SAML, but not others.

OK, that will take a bit. I was just using the 'bog standard' Fedora
delivered openconnect :-).

> Bottom line is that I believe we fully understand how to inject the
> SAML cookies into the gateway if the *gateway* does SAML, but we don't
> fully understand how to do SAML authentication to the portal and then
> get the portal to pass the cookies to the gateway, if you have to do
> the SAML authentication to the portal.

I can circle back to the gp-saml-gui code as well, now that I have a
better handle on the SAML dance.

Thanks a ton for all the help so far, Michel


_______________________________________________
openconnect-devel mailing list
openconnect-devel@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/openconnect-devel




[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux