Summary: | Unable to access the VPN network in double authentication mode (anyConnect SAML/SSO) | ||
---|---|---|---|
Product: | [Plasma] plasma-nm | Reporter: | antonio <antdev66> |
Component: | applet | Assignee: | Jan Grulich <jgrulich> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | dwmw2, ehren.bendler, joel, karli, mekius, nate, nicolas.fella, physkets, sergeychepurko, sokann, strijbol.niko, strm.50, yhetti |
Priority: | NOR | ||
Version: | 5.23.5 | ||
Target Milestone: | --- | ||
Platform: | Debian unstable | ||
OS: | Linux | ||
Latest Commit: | https://invent.kde.org/plasma/plasma-nm/-/commit/6ef64be8645ac32fc0b42df2cee5d9ff3b57e485 | Version Fixed In: | 6.0 |
Description
antonio
2022-01-09 07:47:30 UTC
For what its worth, I took a crack at implementing support for this using QtWebEngineView (loosely based on the nm-openconnect code for the same) and was not able to get it working. I won't pretend to be a Qt expert, but I was able to get plasma-nm to pop the window at an appropriate time but got stuck at a repeated SIGTRAP in the underlying Chromium code in Qt 5.15. The latest OpenConnect API has support for launching a desktop browser, but I did not try using that yet. That might be a better solution going forward, so that the authentication support is not tied to whatever version of Chromium Qt picked for a given release. That said, external browser use is a tough edge case. One has to have: 1) The latest OpenConnect, built against a recent version of OpenSSL/GnuTLS 2) A recent version of the AnyConnect server 3) The *server* has to be setup to allow/force external browsers 4) The applet has to be built with the callback added I can't work on that since my company does not have #3. *** This bug has been confirmed by popular vote. *** (In reply to Ehren Bendler from comment #2) > That said, external browser use is a tough edge case. > > One has to have: > 1) The latest OpenConnect, built against a recent version of OpenSSL/GnuTLS > 2) A recent version of the AnyConnect server > 3) The *server* has to be setup to allow/force external browsers > 4) The applet has to be built with the callback added > > I can't work on that since my company does not have #3. I happen to have a company with one of these VPNs so I may take a stab at learning some new things. Do you still have this experimental code around for me to look at and possibly use as a starting point? I also work at a company with forced SSO. I can test any experimental code. I backported Rahul's patches the following patches to v5.26.5 on my system, and I can confirm that this fixes the issue: * 408cca64: Add support for openconnect_set_external_browser_callback introduced in openconnect v9.0 (libopenconnect 5.8) using QDesktopServices * 4654501e: Remove UB parameter passing to va_list argument in OpenconnectAuthWorkerThread::openUri * f7bb3a1f: Add support for SAML based authentication when using OpenConnect VPN * 7e7690db: Clean up braceless single line conditionals in openconnectauthworkerthread.cpp Note that the Rahul's other patch to OpenConnect is also required to successfully connect to the VPN. * 0e82c937: Do not add 'single-sign-on' to the capabilities list for AnyConnect auth requests Fixed in Plasma 6 by Rahul Rameshbabu with https://invent.kde.org/plasma/plasma-nm/-/commit/6ef64be8645ac32fc0b42df2cee5d9ff3b57e485! What chance does this have of making it back to stable 5? Currently only GNOME´s applet works with AnyConnect MFA and seeing as more and more companies and organizations are moving towards a stricter security policy a large number of people are going to affected by this sooner than Plasma 6 hits any mainline distros (at least I am ;)) SOFTWARE/OS VERSIONS OS: openSUSE Leap 15.5 KDE Plasma Version: 5.27.9 KDE Frameworks Version: 5.102.0 Qt Version: 5.15.8 (In reply to Karli Sjöberg from comment #10) > What chance does this have of making it back to stable 5? Currently only > GNOME´s applet works with AnyConnect MFA and seeing as more and more > companies and organizations are moving towards a stricter security policy a > large number of people are going to affected by this sooner than Plasma 6 > hits any mainline distros (at least I am ;)) I believe that the Qt 5.15 WebEngine is the problem for advanced auth, so very low. You should engage your IT to enable "ext-browser" on the server side, which does work in Plasma 5.27 after you update openconnect. |