Bug 444500

Summary: GlobalProtect SAML request/response ignored
Product: [Plasma] plasmashell Reporter: jdbarnes
Component: Networking in generalAssignee: Jan Grulich <jgrulich>
Status: RESOLVED FIXED    
Severity: normal CC: havard.stien, kroot.patel, nate
Priority: NOR    
Version: master   
Target Milestone: 1.0   
Platform: Fedora RPMs   
OS: Linux   
Latest Commit: https://invent.kde.org/plasma/plasma-nm/-/commit/828b554dd1c35755525bdc8645bbaf738075cc73 Version Fixed In: 6.0
Sentry Crash Report:

Description jdbarnes 2021-10-27 17:56:03 UTC 
SUMMARY
Globalprotect servers that ask for SAML login do not interactively request additional information.

STEPS TO REPRODUCE
1. Create connection with openconnect gp plugin for server that requires a SAML auth
2. Attempt connect
3. Authentication always fails because SAML requests appear to be ignored

OBSERVED RESULT

POST https://vpn.host.net/global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Linux
Attempting to connect to server ip.v4.host.addr:443
Connected to ip.v4.host.addr:443
SSL negotiation with vpn.host.net
Connected to HTTPS on vpn.host.net with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
Got HTTP response: HTTP/1.1 200 OK
Date: Fri, 15 Oct 2021 21:17:58 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 2104
Connection: keep-alive
ETag: "167860b854d7"
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-FRAME-OPTIONS: DENY
Set-Cookie: PHPSESSID=e39b5e7553f960ebf2f91de23ff3bc5d; secure; HttpOnly
Set-Cookie: PHPSESSID=e39b5e7553f960ebf2f91de23ff3bc5d; secure; HttpOnly
Set-Cookie: PHPSESSID=e39b5e7553f960ebf2f91de23ff3bc5d; secure; HttpOnly
Set-Cookie: PHPSESSID=e39b5e7553f960ebf2f91de23ff3bc5d; secure; HttpOnly
Set-Cookie: PHPSESSID=e39b5e7553f960ebf2f91de23ff3bc5d; secure; HttpOnly
Set-Cookie: PHPSESSID=e39b5e7553f960ebf2f91de23ff3bc5d; secure; HttpOnly
Set-Cookie: PHPSESSID=e39b5e7553f960ebf2f91de23ff3bc5d; secure; HttpOnly
Set-Cookie: PHPSESSID=e39b5e7553f960ebf2f91de23ff3bc5d; secure; HttpOnly
Set-Cookie: PHPSESSID=e39b5e7553f960ebf2f91de23ff3bc5d; secure; HttpOnly
Set-Cookie: PHPSESSID=e39b5e7553f960ebf2f91de23ff3bc5d; secure; HttpOnly
Set-Cookie: PHPSESSID=e39b5e7553f960ebf2f91de23ff3bc5d; secure; HttpOnly
Set-Cookie: PHPSESSID=e39b5e7553f960ebf2f91de23ff3bc5d; path=/; secure; httponly
Set-Cookie: PHPSESSID=e39b5e7553f960ebf2f91de23ff3bc5d; secure; HttpOnly
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block;
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
HTTP body length:  (2104)
SAML POST authentication is required via external script.
When SAML authentication is complete, specify destination form field by appending :field_name to login URL.
Failed to parse server response
Response was:<?xml version="1.0" encoding="UTF-8" ?>
<prelogin-response>
<status>Success</status>
<ccusername></ccusername>
<autosubmit>false</autosubmit>
<msg></msg>
<newmsg></newmsg>
<authentication-message>login through Okta</authentication-message>
<username-label>Username</username-label>
<password-label>Password</password-label>
<panos-version>1</panos-version>
<saml-default-browser>yes</saml-default-browser><saml-auth-status>0</saml-auth-status>
<saml-auth-method>POST</saml-auth-method>
<saml-request-timeout>600</saml-request-timeout>
<saml-request-id>0</saml-request-id><saml-request>PG...
... very long stuff ...
...DQo=</saml-request><region>US</region>
</prelogin-response>



EXPECTED RESULT


SOFTWARE/OS VERSIONS
Windows: 
macOS: 
Linux/KDE Plasma: 
(available in About System)
KDE Plasma Version: 
KDE Frameworks Version: 
Qt Version: 

ADDITIONAL INFORMATION
Comment 1 jdbarnes 2021-10-27 18:21:49 UTC 
The saml handshake decoded from base 64:

<html>
<body>
<form id="myform" method="POST" action="https://testingurl.oktapreview.com/app/panw_globalprotect/ex*****d6/sso/saml">
<input type="hidden" name="SAMLRequest" value="PH...c3Q+" />
<input type="hidden" name="RelayState" value="NwM******==" />
</form>
<script>
  document.getElementById('myform').submit();
</script>
</body>
</html>

and the SAML request itself:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://vpn.host.net:443/SAML20/SP/ACS" Destination="https://testingurl.oktapreview.com/app/panw_globalprotect/ex*****1d6/sso/saml" ID="_46******53c" IssueInstant="2021-10-27T18:14:30Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://vpn.host.net:443/SAML20/SP</saml:Issuer></samlp:AuthnRequest
Comment 2 Bug Janitor Service 2023-12-21 02:20:09 UTC 
A possibly relevant merge request was started @ https://invent.kde.org/plasma/plasma-nm/-/merge_requests/316
Comment 3 Nicolas Fella 2023-12-27 15:24:33 UTC 
Git commit 828b554dd1c35755525bdc8645bbaf738075cc73 by Nicolas Fella, on behalf of Rahul Rameshbabu.
Committed on 27/12/2023 at 16:23.
Pushed by nicolasfella into branch 'master'.

Add GlobalProtect SAML based authentication support with OpenConnect VPN

Pass HTTP response headers to libopenconnect SAML handling functionality.
libopenconnect will process the headers and authenticate with GlobalProtect
gateways.

This change depends on Qt>=6.6 for the needed changes in QtWebEngine that
enable HTTP response header extraction.
Signed-off-by: Rahul Rameshbabu <sergeantsagara@protonmail.com>

M  +49   -19   vpn/openconnect/openconnectauth.cpp
M  +2    -0    vpn/openconnect/openconnectauth.h

https://invent.kde.org/plasma/plasma-nm/-/commit/828b554dd1c35755525bdc8645bbaf738075cc73
Comment 4 Ben Cooksley 2024-12-23 18:23:43 UTC 
Bulk transfer as requested in T17796