Bug 448153

Summary:	Unable to access the VPN network in double authentication mode (anyConnect SAML/SSO)
Product:	[Plasma] plasmashell	Reporter:	antonio <antdev66>
Component:	Networks widget	Assignee:	Jan Grulich <jgrulich>
Status:	RESOLVED FIXED
Severity:	normal	CC:	akiskost97, dwmw2, ehren.bendler, ephemient, joel, karli, mekius, nate, nicolas.fella, physkets, sergeychepurko, sokann, strijbol.niko, strm.50, yhetti
Priority:	NOR
Version First Reported In:	master
Target Milestone:	1.0
Platform:	Debian unstable
OS:	Linux
Latest Commit:	https://invent.kde.org/plasma/plasma-nm/-/commit/6ef64be8645ac32fc0b42df2cee5d9ff3b57e485	Version Fixed/Implemented In:	6.0
Sentry Crash Report:

Description antonio 2022-01-09 07:47:30 UTC

SUMMARY
The applet does not show the browser window to insert the access credentials to the VPN network in double authentication.

STEPS TO REPRODUCE
- Create a new Cisco Anyconnect VPN network (OpenConnect)
- Insert the gateway
- Save the configuration

OBSERVED RESULT
- Try access to the VPN network (NetworkManager widget: click on "Connect")
- The log show: "No SSO Handler"

EXPECTED RESULT
- that appears the browser window to enter the access credentials

ADDITIONAL INFORMATION
	POST https://xxxxxxx/
	Attempting to connect to server xxx.xxx.xxx.xxx:443
	Connected to xxx.xxx.xxx.xxx:443
	SSL negotiation with xxxxxxx
	Connected to HTTPS on xxxxxxx with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA512)-(AES-256-GCM)
	Got HTTP response: HTTP/1.1 200 OK
	Content-Type: text/xml; charset=utf-8
	Transfer-Encoding: chunked
	Cache-Control: no-store
	Pragma: no-cache
	Connection: Keep-Alive
	Date: Sun, 09 Jan 2022 07:34:44 GMT
	X-Frame-Options: SAMEORIGIN
	Strict-Transport-Security: max-age=31536000; includeSubDomains
	X-Content-Type-Options: nosniff
	X-XSS-Protection: 1
	Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'
	X-Aggregate-Auth: 1
	HTTP body chunked (-2)
	POST XML abilitato
	No SSO handler

From GNOME interface, instead, everything works fine.

Thank you,
Antonio

SOFTWARE/OS VERSIONS
KDE Plasma Version: 5.23.5
KDE Frameworks Version: 5.89.0
Qt Version: 5.15.2

Comment 1 Ehren Bendler 2022-06-17 11:37:01 UTC

For what its worth, I took a crack at implementing support for this using QtWebEngineView (loosely based on the nm-openconnect code for the same) and was not able to get it working.  

I won't pretend to be a Qt expert, but I was able to get plasma-nm to pop the window at an appropriate time but got stuck at a repeated SIGTRAP in the underlying Chromium code in Qt 5.15. 

The latest OpenConnect API has support for launching a desktop browser, but I did not try using that yet. That might be a better solution going forward, so that the authentication support is not tied to whatever version of Chromium Qt picked for a given release.

Comment 2 Ehren Bendler 2022-06-17 12:23:06 UTC

That said, external browser use is a tough edge case.

One has to have:
1) The latest OpenConnect, built against a recent version of OpenSSL/GnuTLS
2) A recent version of the AnyConnect server
3) The *server* has to be setup to allow/force external browsers
4) The applet has to be built with the callback added

I can't work on that since my company does not have #3.

Comment 3 mixo 2022-07-17 19:41:06 UTC

*** This bug has been confirmed by popular vote. ***

Comment 4 mekius 2022-08-04 16:56:57 UTC

(In reply to Ehren Bendler from comment #2)
> That said, external browser use is a tough edge case.
> 
> One has to have:
> 1) The latest OpenConnect, built against a recent version of OpenSSL/GnuTLS
> 2) A recent version of the AnyConnect server
> 3) The *server* has to be setup to allow/force external browsers
> 4) The applet has to be built with the callback added
> 
> I can't work on that since my company does not have #3.

I happen to have a company with one of these VPNs so I may take a stab at learning some new things.  Do you still have this experimental code around for me to look at and possibly use as a starting point?

Comment 5 Joel Holdsworth 2022-11-03 22:11:27 UTC

I also work at a company with forced SSO. I can test any experimental code.

Comment 6 Nicolas Fella 2023-01-20 00:24:08 UTC

https://invent.kde.org/plasma/plasma-nm/-/merge_requests/208

Comment 7 Joel Holdsworth 2023-01-23 14:11:12 UTC

I backported Rahul's patches the following patches to v5.26.5 on my system, and I can confirm that this fixes the issue:

* 408cca64: Add support for openconnect_set_external_browser_callback introduced in openconnect v9.0 (libopenconnect 5.8) using QDesktopServices
* 4654501e: Remove UB parameter passing to va_list argument in OpenconnectAuthWorkerThread::openUri
* f7bb3a1f: Add support for SAML based authentication when using OpenConnect VPN
* 7e7690db: Clean up braceless single line conditionals in openconnectauthworkerthread.cpp

Comment 8 Joel Holdsworth 2023-01-23 14:13:05 UTC

Note that the Rahul's other patch to OpenConnect is also required to successfully connect to the VPN.

* 0e82c937: Do not add 'single-sign-on' to the capabilities list for AnyConnect auth requests

Comment 9 Nate Graham 2023-01-25 21:35:56 UTC

Fixed in Plasma 6 by Rahul Rameshbabu with https://invent.kde.org/plasma/plasma-nm/-/commit/6ef64be8645ac32fc0b42df2cee5d9ff3b57e485!

Comment 10 Karli Sjöberg 2024-03-13 15:00:18 UTC

What chance does this have of making it back to stable 5? Currently only GNOME´s applet works with AnyConnect MFA and seeing as more and more companies and organizations are moving towards a stricter security policy a large number of people are going to affected by this sooner than Plasma 6 hits any mainline distros (at least I am ;))

SOFTWARE/OS VERSIONS
OS: openSUSE Leap 15.5
KDE Plasma Version: 5.27.9
KDE Frameworks Version: 5.102.0
Qt Version: 5.15.8

Comment 11 Ehren Bendler 2024-03-13 15:17:54 UTC

(In reply to Karli Sjöberg from comment #10)
> What chance does this have of making it back to stable 5? Currently only
> GNOME´s applet works with AnyConnect MFA and seeing as more and more
> companies and organizations are moving towards a stricter security policy a
> large number of people are going to affected by this sooner than Plasma 6
> hits any mainline distros (at least I am ;))

I believe that the Qt 5.15 WebEngine is the problem for advanced auth, so very low. You should engage your IT to enable "ext-browser" on the server side, which does work in Plasma 5.27 after you update openconnect.

Comment 12 Ben Cooksley 2024-12-23 18:26:06 UTC

Bulk transfer as requested in T17796

Comment 13 akiskost97 2025-10-22 16:40:06 UTC

I am using 
KDE plasma version: 5.27.5
KDE frameowrk version: 5.103.0

The company VPN requires SSO and it still get the message No SSO handler found. Also the native Cisco client app crashes when trying to loging to VPN. On gnome works fine.
It is sad that we can not use KDE. Are there any specific instructions that we could try to backport the fix ? 

The VPN works fine on gnome and the browser window to log in works from both cisco or the system UI.