SUMMARY Globalprotect servers that ask for SAML login do not interactively request additional information. STEPS TO REPRODUCE 1. Create connection with openconnect gp plugin for server that requires a SAML auth 2. Attempt connect 3. Authentication always fails because SAML requests appear to be ignored OBSERVED RESULT POST https://vpn.host.net/global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Linux Attempting to connect to server ip.v4.host.addr:443 Connected to ip.v4.host.addr:443 SSL negotiation with vpn.host.net Connected to HTTPS on vpn.host.net with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM) Got HTTP response: HTTP/1.1 200 OK Date: Fri, 15 Oct 2021 21:17:58 GMT Content-Type: application/xml; charset=UTF-8 Content-Length: 2104 Connection: keep-alive ETag: "167860b854d7" Pragma: no-cache Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 19 Nov 1981 08:52:00 GMT X-FRAME-OPTIONS: DENY Set-Cookie: PHPSESSID=e39b5e7553f960ebf2f91de23ff3bc5d; secure; HttpOnly Set-Cookie: PHPSESSID=e39b5e7553f960ebf2f91de23ff3bc5d; secure; HttpOnly Set-Cookie: PHPSESSID=e39b5e7553f960ebf2f91de23ff3bc5d; secure; HttpOnly Set-Cookie: PHPSESSID=e39b5e7553f960ebf2f91de23ff3bc5d; secure; HttpOnly Set-Cookie: PHPSESSID=e39b5e7553f960ebf2f91de23ff3bc5d; secure; HttpOnly Set-Cookie: PHPSESSID=e39b5e7553f960ebf2f91de23ff3bc5d; secure; HttpOnly Set-Cookie: PHPSESSID=e39b5e7553f960ebf2f91de23ff3bc5d; secure; HttpOnly Set-Cookie: PHPSESSID=e39b5e7553f960ebf2f91de23ff3bc5d; secure; HttpOnly Set-Cookie: PHPSESSID=e39b5e7553f960ebf2f91de23ff3bc5d; secure; HttpOnly Set-Cookie: PHPSESSID=e39b5e7553f960ebf2f91de23ff3bc5d; secure; HttpOnly Set-Cookie: PHPSESSID=e39b5e7553f960ebf2f91de23ff3bc5d; secure; HttpOnly Set-Cookie: PHPSESSID=e39b5e7553f960ebf2f91de23ff3bc5d; path=/; secure; httponly Set-Cookie: PHPSESSID=e39b5e7553f960ebf2f91de23ff3bc5d; secure; HttpOnly Strict-Transport-Security: max-age=31536000; X-XSS-Protection: 1; mode=block; X-Content-Type-Options: nosniff Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline'; HTTP body length: (2104) SAML POST authentication is required via external script. When SAML authentication is complete, specify destination form field by appending :field_name to login URL. Failed to parse server response Response was:<?xml version="1.0" encoding="UTF-8" ?> <prelogin-response> <status>Success</status> <ccusername></ccusername> <autosubmit>false</autosubmit> <msg></msg> <newmsg></newmsg> <authentication-message>login through Okta</authentication-message> <username-label>Username</username-label> <password-label>Password</password-label> <panos-version>1</panos-version> <saml-default-browser>yes</saml-default-browser><saml-auth-status>0</saml-auth-status> <saml-auth-method>POST</saml-auth-method> <saml-request-timeout>600</saml-request-timeout> <saml-request-id>0</saml-request-id><saml-request>PG... ... very long stuff ... ...DQo=</saml-request><region>US</region> </prelogin-response> EXPECTED RESULT SOFTWARE/OS VERSIONS Windows: macOS: Linux/KDE Plasma: (available in About System) KDE Plasma Version: KDE Frameworks Version: Qt Version: ADDITIONAL INFORMATION
The saml handshake decoded from base 64: <html> <body> <form id="myform" method="POST" action="https://testingurl.oktapreview.com/app/panw_globalprotect/ex*****d6/sso/saml"> <input type="hidden" name="SAMLRequest" value="PH...c3Q+" /> <input type="hidden" name="RelayState" value="NwM******==" /> </form> <script> document.getElementById('myform').submit(); </script> </body> </html> and the SAML request itself: <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://vpn.host.net:443/SAML20/SP/ACS" Destination="https://testingurl.oktapreview.com/app/panw_globalprotect/ex*****1d6/sso/saml" ID="_46******53c" IssueInstant="2021-10-27T18:14:30Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://vpn.host.net:443/SAML20/SP</saml:Issuer></samlp:AuthnRequest
A possibly relevant merge request was started @ https://invent.kde.org/plasma/plasma-nm/-/merge_requests/316
Git commit 828b554dd1c35755525bdc8645bbaf738075cc73 by Nicolas Fella, on behalf of Rahul Rameshbabu. Committed on 27/12/2023 at 16:23. Pushed by nicolasfella into branch 'master'. Add GlobalProtect SAML based authentication support with OpenConnect VPN Pass HTTP response headers to libopenconnect SAML handling functionality. libopenconnect will process the headers and authenticate with GlobalProtect gateways. This change depends on Qt>=6.6 for the needed changes in QtWebEngine that enable HTTP response header extraction. Signed-off-by: Rahul Rameshbabu <sergeantsagara@protonmail.com> M +49 -19 vpn/openconnect/openconnectauth.cpp M +2 -0 vpn/openconnect/openconnectauth.h https://invent.kde.org/plasma/plasma-nm/-/commit/828b554dd1c35755525bdc8645bbaf738075cc73
Bulk transfer as requested in T17796