Bug 504637

Summary: [openconnect] GlobalProtect with SSO does not detect successful login flow
Product: [Plasma] plasmashell Reporter: Malte S. Stretz <mss>
Component: Networking in generalAssignee: Plasma Bugs List <plasma-bugs-null>
Status: REOPENED ---    
Severity: normal CC: nate, nicolas.fella
Priority: HI    
Version First Reported In: 6.3.5   
Target Milestone: 1.0   
Platform: Neon   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:
Attachments: Screenshot

Description Malte S. Stretz 2025-05-21 20:06:31 UTC 
SUMMARY

I have to connect to a GlobalConnect VPN which is protected by Microsoft SSO. The SSO login does not show any errors fine but after the MFA verification I am just thrown back to the initial screen where I have to enter my username.

I verified via gp-saml-gui that this isn't a general OpenConnect issue.

I then enabled the Developer Tools for kded (by setting the proper environment variable as documented at https://doc.qt.io/qt-6/qtwebengine-debugging.html#qt-webengine-developer-tools via `systemctl --user edit plasma-kded6`) and there I discovered that the SAML flow actually resulted in the typical "Login Successful!" screen (cf. screenshot). It looks like the applet then replaces the QtWebEngine with a new instance which retries the login flow.

STEPS TO REPRODUCE
1. Create a GlobalConnect VPN connection to a Portal which is configured for Microsoft SSO.
2. Connect, follow the login flow.

OBSERVED RESULT
After the MFA is verified the initial login srceen appears again.

EXPECTED RESULT
Connection established

SOFTWARE/OS VERSIONS
Operating System: KDE neon 6.3
KDE Plasma Version: 6.3.5
KDE Frameworks Version: 6.14.0
Qt Version: 6.9.0
Kernel Version: 6.11.0-25-generic (64-bit)
Graphics Platform: Wayland

ADDITIONAL INFORMATION
openconnect 9.12-1build5
Comment 1 Malte S. Stretz 2025-05-21 20:06:47 UTC 
Created attachment 181627 [details]
Screenshot
Comment 2 Malte S. Stretz 2025-05-21 20:32:23 UTC 
This https://invent.kde.org/exzombie/plasma-nm/-/blob/v6.2.2/vpn/openconnect/openconnectauth.cpp?ref_type=tags#L540 looks like it should pass the correct info to https://gitlab.com/openconnect/openconnect/-/blob/v9.12/gpst.c?ref_type=tags#L1372.

I just wonder if those other signals here https://invent.kde.org/exzombie/plasma-nm/-/blob/v6.2.2/vpn/openconnect/openconnectauth.cpp?ref_type=tags#L639 which also trigger openconnect_webview_load_changed but without any headers might cause an issue.
Comment 3 Nate Graham 2025-08-19 22:56:06 UTC 

*** This bug has been marked as a duplicate of bug 479937 ***
Comment 4 Malte S. Stretz 2025-08-20 05:41:28 UTC 
Not a duplicate of 479937: It looks like that one doesn't use SSO and the OpenConnect client is actually successfully started, it just fails to connect properly or the NM widget fails to detect that state.

In this case the SSO embedded browser window pops up, authentication there is successful but at the end the flow just restarts. Ie. the successful authentication is not detected (should happen based on the headers).

The journal only shows the "org.kde.plasma.nm.kded: Unhandled VPN connection state change:  NetworkManager::VpnConnection::NeedAuth" from that other report bbut nothing afterwards. There is some apparmor DENIED logged for kded6 though:

Aug 20 07:31:00 localhost wpa_supplicant[1038]: wl: CTRL-EVENT-SIGNAL-CHANGE above=1 signal=-43 noise=9999 txrate=400000
Aug 20 07:31:09 localhost NetworkManager[1167]: <info>  [1755667869.0807] audit: op="statistics" interface="wl" ifindex=3 args="2000" pid=1715 uid=1000 result="success"
Aug 20 07:31:15 localhost plasmashell[1715]: QDBusObjectPath: invalid path ""
Aug 20 07:31:15 localhost NetworkManager[1167]: <info>  [1755667875.8701] vpn[0x5ffcee2de320,34f18b94-b6bb-46c4-a7db-1db0e5a129ae,"VPN"]: starting openconnect
Aug 20 07:31:15 localhost NetworkManager[1167]: <info>  [1755667875.8736] audit: op="connection-activate" uuid="34f18b94-b6bb-46c4-a7db-1db0e5a129ae" name="VPN" pid=1715 uid=1000 result="success"
Aug 20 07:31:15 localhost kded6[1628]: org.kde.plasma.nm.kded: Unhandled VPN connection state change:  NetworkManager::VpnConnection::NeedAuth
Aug 20 07:31:15 localhost kwalletd6[1857]: kf.wallet.kwalletd: "Item not found"
Aug 20 07:31:16 localhost generate[84079]: Permissions for /etc/netplan/01-network-manager-all.yaml are too open. Netplan configuration should NOT be accessible by others.
Aug 20 07:31:16 localhost systemd[1]: Reloading requested from client PID 84082 ('systemctl') (unit NetworkManager.service)...
Aug 20 07:31:16 localhost systemd[1]: Reloading...
Aug 20 07:31:17 localhost systemd[1]: Reloading finished in 779 ms.
Aug 20 07:31:17 localhost systemd[1]: anacron.service - Run anacron jobs was skipped because of an unmet condition check (ConditionACPower=true).
Aug 20 07:31:17 localhost systemd[1]: apt-daily.service - Daily apt download activities was skipped because of an unmet condition check (ConditionACPower=true).
Aug 20 07:31:17 localhost systemd[1]: Starting motd-news.service - Message of the Day...
Aug 20 07:31:17 localhost systemd[1]: motd-news.service: Deactivated successfully.
Aug 20 07:31:17 localhost systemd[1]: Finished motd-news.service - Message of the Day.
Aug 20 07:31:17 localhost kwalletd6[1857]: kf.wallet.kwalletd: "Item not found"
Aug 20 07:31:29 localhost kernel: audit: type=1400 audit(1755667889.152:185): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=1628 comm="kded6" requested="userns_creat>
Aug 20 07:31:29 localhost kernel: audit: type=1400 audit(1755667889.165:186): apparmor="DENIED" operation="capable" class="cap" profile="unprivileged_userns" pid=84217 comm="kded6" capability=21  capname="sys_admin"