Skip to content
This repository has been archived by the owner on Jan 25, 2021. It is now read-only.

Support for multi-form auth #10

Closed
directhex opened this issue Jan 30, 2019 · 1 comment
Closed

Support for multi-form auth #10

directhex opened this issue Jan 30, 2019 · 1 comment

Comments

@directhex
Copy link

Our auth portal is multi-form:

  • First form requires email address
  • Email address redirects to second portal on a second domain, which prompts for smartcard or user/pass auth
  • Choice on second portal does not redirect, it uses JS to change the form displayed to either query the user's browser for a cert, or ask for user/pass

I can't find a way to convince network-manager-openconnect to follow multiple forms through.

As-is, trying to log in gives:

HTTP body length:  (1289)
SAML authentication via REDIRECT to https://login.domain.com/{guid}/saml2?SAMLRequest=foo&RelayState=bar is required.
Must specify destination form field by appending :field_name to login URL.
Failed to parse server response
Response was:<?xml version="1.0" encoding="UTF-8" ?>
<prelogin-response>
<status>Success</status>
<ccusername></ccusername>
<autosubmit>false</autosubmit>
<msg></msg>
<newmsg></newmsg>
<license>yes</license>
<authentication-message>Enter login credentials</authentication-message>
<panos-version>1</panos-version><saml-auth-status>0</saml-auth-status>
<saml-auth-method>REDIRECT</saml-auth-method><saml-request>foo</saml-request><region>US</region>
</prelogin-response>

If I set the URL of the gateway to a full URL and add a suffix with the name of the for the first form, I get a 512 error.
@dlenski
Copy link
Owner

dlenski commented Jan 30, 2019
edited
Loading

… it uses JS to change the form displayed to either query the user's browser for a cert, or ask for user/pass

Unless I'm misunderstanding something, this isn't an issue with network-manager-openconnect per se. It won't work with the command-line version of openconnect v8.02 either, for which nm-openconnect is just a GUI wrapper.

This seems to fall under the general umbrella of SAML authentication which OpenConnect doesn't currently have native support for; but see dlenski/openconnect#116, dlenski/openconnect#122, and arthepsy/pan-globalprotect-okta for some external scripts to do the SAML "authentication dance".

I am the developer of OpenConnect's globalprotect protocol support, and don't have access to a GP VPN that uses SAML authentication, so I really can't develop support for it myself.

@dlenski dlenski closed this as completed Jan 24, 2021
Repository owner locked and limited conversation to collaborators Jan 24, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dlenski @directhex