On Fri, May 22, 2020 at 1:00 AM David Woodhouse <dwmw2@xxxxxxxxxxxxx> wrote: > On Thu, 2020-05-21 at 16:32 -0400, Michel van der List wrote: > > > If *that* doesn't work, try building with @yuezk's recent patch > > > (https://gitlab.com/openconnect/openconnect/-/merge_requests/109), > > > which will let you authenticate to the portal and then pass whatever > > > cookies it gets through to the gateway. This appears to work on *some > > > GP servers* with SAML, but not others. > > > > OK, that will take a bit. I was just using the 'bog standard' Fedora > > delivered openconnect :-). > > If I merge that MR, it'll show up in the COPR at > https://copr.fedorainfracloud.org/coprs/dwmw2/openconnect/ > > I've been waiting for less mixed signals like "doesn't work for all > cases" from Dan... :) !109 is incomplete in terms of handling all the myriad ways in which a portal *could* hand off cookies to a gateway. https://gitlab.com/dlenski/openconnect/commits/gp_auth_fixes appears to be working better, per https://gitlab.com/openconnect/openconnect/-/issues/147#note_347547783 In terms of fixing this once-and-for-all, I'm at the mercy of the fact that there appear to be a gazillion ways the portal-to-gateway handoff *can* be configured, and I don't have access to any VPNs that use the ones where it really matters (only way to login is via SAML to portal, then cookie handoff to gateway), no one who administers these VPNs understands how this works, and most of the users who figure out how to make it work for *their* VPN don't stick around long enough to help me collect reliable data for solving the problem in general. </rant> -Dan _______________________________________________ openconnect-devel mailing list openconnect-devel@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/openconnect-devel
