Bug 480661

Summary: OpenConnect GlobalProtect VPN connection with SAML no longer works since RC2
Product: [Applications] systemsettings Reporter: zsolt
Component: kcm_networkmanagementAssignee: Plasma Bugs List <plasma-bugs-null>
Status: CONFIRMED ---    
Severity: major CC: agsimmons0, chermnykh2001, jgrulich, lassi.vaatamoinen, MurzNN, nate, zsolt
Priority: NOR Keywords: qt6
Version First Reported In: unspecified   
Target Milestone: ---   
Platform: Arch Linux   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:
Attachments: screenshot of the VPN connection window the error message

Description zsolt 2024-02-01 08:16:39 UTC 
Created attachment 165428 [details]
screenshot of the VPN connection window the error message

SUMMARY
***
While on RC1, I could successfully connect to a PAN Global Protect VPN. However, since updating to RC2, it fails with "Failed to parse XML server response". The GlobalProtect VPN server that I am using has SAML authentication with Okta. When connecting to the VPN, I can actually go through the Okta step, and it fails right before selecting the actual gateway (which, again, used to work on RC1).

***


STEPS TO REPRODUCE
1. Create a VPN connection of type "PAN Global Protect"
2. Connect to it, and go through the SAML / Okta 2FA

OBSERVED RESULT
Observe the "Failed to parse XML server response" error (see attachment).

EXPECTED RESULT
The connection should work.

SOFTWARE/OS VERSIONS
Windows: 
macOS: 
Linux/KDE Plasma: Arch Linux with KDE Unstable
(available in About System)
KDE Plasma Version: 5.93.0
KDE Frameworks Version: 5.249.0
Qt Version: 6.7.0

ADDITIONAL INFORMATION

The debug logs end with:

POST https://my-redacted-vpn-server.com/global-protect/getconfig.esp
Got HTTP response: HTTP/1.1 200 OK
Date: Thu, 01 Feb 2024 07:04:02 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 291
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-FRAME-OPTIONS: DENY
Set-Cookie: ... redacted...
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
HTTP body length:  (291)
GlobalProtect portal configuration lists no gateway servers.
Failed to parse XML server response
Response was: <?xml version="1.0" encoding="UTF-8" ?>
<policy>
<has-config>no</has-config>
<user-group-loaded>yes</user-group-loaded>
<portal-userauthcookie>empty</portal-userauthcookie>
<portal-prelogonuserauthcookie>empty</portal-prelogonuserauthcookie>
<password-exp-days>0</password-exp-days></policy>
Comment 1 Lassi Väätämöinen 2024-08-28 12:43:41 UTC 
(In reply to zsolt from comment #0)
> Created attachment 165428 [details]
> screenshot of the VPN connection window the error message
> 
> SUMMARY
> ***
> While on RC1, I could successfully connect to a PAN Global Protect VPN.
> However, since updating to RC2, it fails with "Failed to parse XML server
> response".

Not sure which RC-versions these are, the info is missing. I am experiencing similar issue with
openconnect    9.12-3.1
NetworkManager-openconnect    1.2.10-3.1

This is my first time attempting connecting to GlobalProtect using Openconnect, so I am not sure if I am doing everything correctly. But my XML parsing issue seems to be similar.

TRACE

POST https://SERVERADDRESSHIDDEN.com/global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Linux
Attempting to connect to server 62.176.54.11:443
Connected to 62.176.54.11:443
SSL negotiation with SERVERADDRESSHIDDEN.com
Connected to HTTPS on SERVERADDRESSHIDDEN.com with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
Got HTTP response: HTTP/1.1 200 OK
Date: Wed, 28 Aug 2024 12:39:34 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 475
Connection: keep-alive
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
HTTP body length:  (475)
Prelogin form _login: "Username: " user(TEXT)=, "Password: " passwd(PASSWORD)
POST https://SERVERADDRESSHIDDEN.com/global-protect/getconfig.esp
Got HTTP response: HTTP/1.1 200 OK
Date: Wed, 28 Aug 2024 12:40:13 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 251
Connection: keep-alive
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
HTTP body length:  (251)
GlobalProtect portal configuration lists no gateway servers.
Failed to parse XML server response
Response was: <?xml version="1.0" encoding="UTF-8" ?>
<policy>
<has-config>no</has-config>
<user-group-loaded>yes</user-group-loaded>
<portal-userauthcookie>empty</portal-userauthcookie>
<portal-prelogonuserauthcookie>empty</portal-prelogonuserauthcookie>
</policy>
POST https://SERVERADDRESSHIDDEN.com/global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Linux
Got HTTP response: HTTP/1.1 200 OK
Date: Wed, 28 Aug 2024 12:40:16 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 475
Connection: keep-alive
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
HTTP body length:  (475)
Prelogin form _login: "Username: " user(TEXT)=, "Password: " passwd(PASSWORD)
POST https://SERVERADDRESSHIDDEN.com/global-protect/getconfig.esp
Got HTTP response: HTTP/1.1 200 OK
Date: Wed, 28 Aug 2024 12:40:39 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 251
Connection: keep-alive
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
HTTP body length:  (251)
GlobalProtect portal configuration lists no gateway servers.
Failed to parse XML server response
Response was: <?xml version="1.0" encoding="UTF-8" ?>
<policy>
<has-config>no</has-config>
<user-group-loaded>yes</user-group-loaded>
<portal-userauthcookie>empty</portal-userauthcookie>
<portal-prelogonuserauthcookie>empty</portal-prelogonuserauthcookie>
</policy>
Comment 2 Lassi Väätämöinen 2024-08-28 14:02:46 UTC 
(In reply to Lassi Väätämöinen from comment #1)
> openconnect    9.12-3.1
> NetworkManager-openconnect    1.2.10-3.1
> 
> This is my first time attempting connecting to GlobalProtect using
> Openconnect, so I am not sure if I am doing everything correctly. But my XML
> parsing issue seems to be similar.

Actually, I now selected reported OS as "Windows" and got connected.

First I verified it using 'openconnect --protocol=gp --os=win ...' .  But also using from the NetworkManager GUI  works.