Bug 444500 - GlobalProtect SAML request/response ignored
Summary: GlobalProtect SAML request/response ignored
Status: RESOLVED FIXED
Alias: None
Product: plasmashell
Classification: Plasma
Component: Networking in general (show other bugs)
Version: master
Platform: Fedora RPMs Linux
: NOR normal
Target Milestone: 1.0
Assignee: Jan Grulich
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-10-27 17:56 UTC by jdbarnes
Modified: 2024-12-23 18:23 UTC (History)
3 users (show)

See Also:
Latest Commit: https://invent.kde.org/plasma/plasma-nm/-/commit/828b554dd1c35755525bdc8645bbaf738075cc73
Version Fixed In: 6.0
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description jdbarnes 2021-10-27 17:56:03 UTC 
SUMMARY
Globalprotect servers that ask for SAML login do not interactively request additional information.

STEPS TO REPRODUCE
1. Create connection with openconnect gp plugin for server that requires a SAML auth
2. Attempt connect
3. Authentication always fails because SAML requests appear to be ignored

OBSERVED RESULT

POST https://vpn.host.net/global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Linux
Attempting to connect to server ip.v4.host.addr:443
Connected to ip.v4.host.addr:443
SSL negotiation with vpn.host.net
Connected to HTTPS on vpn.host.net with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
Got HTTP response: HTTP/1.1 200 OK
Date: Fri, 15 Oct 2021 21:17:58 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 2104
Connection: keep-alive
ETag: "167860b854d7"
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-FRAME-OPTIONS: DENY
Set-Cookie: PHPSESSID=e39b5e7553f960ebf2f91de23ff3bc5d; secure; HttpOnly
Set-Cookie: PHPSESSID=e39b5e7553f960ebf2f91de23ff3bc5d; secure; HttpOnly
Set-Cookie: PHPSESSID=e39b5e7553f960ebf2f91de23ff3bc5d; secure; HttpOnly
Set-Cookie: PHPSESSID=e39b5e7553f960ebf2f91de23ff3bc5d; secure; HttpOnly
Set-Cookie: PHPSESSID=e39b5e7553f960ebf2f91de23ff3bc5d; secure; HttpOnly
Set-Cookie: PHPSESSID=e39b5e7553f960ebf2f91de23ff3bc5d; secure; HttpOnly
Set-Cookie: PHPSESSID=e39b5e7553f960ebf2f91de23ff3bc5d; secure; HttpOnly
Set-Cookie: PHPSESSID=e39b5e7553f960ebf2f91de23ff3bc5d; secure; HttpOnly
Set-Cookie: PHPSESSID=e39b5e7553f960ebf2f91de23ff3bc5d; secure; HttpOnly
Set-Cookie: PHPSESSID=e39b5e7553f960ebf2f91de23ff3bc5d; secure; HttpOnly
Set-Cookie: PHPSESSID=e39b5e7553f960ebf2f91de23ff3bc5d; secure; HttpOnly
Set-Cookie: PHPSESSID=e39b5e7553f960ebf2f91de23ff3bc5d; path=/; secure; httponly
Set-Cookie: PHPSESSID=e39b5e7553f960ebf2f91de23ff3bc5d; secure; HttpOnly
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block;
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
HTTP body length:  (2104)
SAML POST authentication is required via external script.
When SAML authentication is complete, specify destination form field by appending :field_name to login URL.
Failed to parse server response
Response was:<?xml version="1.0" encoding="UTF-8" ?>
<prelogin-response>
<status>Success</status>
<ccusername></ccusername>
<autosubmit>false</autosubmit>
<msg></msg>
<newmsg></newmsg>
<authentication-message>login through Okta</authentication-message>
<username-label>Username</username-label>
<password-label>Password</password-label>
<panos-version>1</panos-version>
<saml-default-browser>yes</saml-default-browser><saml-auth-status>0</saml-auth-status>
<saml-auth-method>POST</saml-auth-method>
<saml-request-timeout>600</saml-request-timeout>
<saml-request-id>0</saml-request-id><saml-request>PG...
... very long stuff ...
...DQo=</saml-request><region>US</region>
</prelogin-response>



EXPECTED RESULT


SOFTWARE/OS VERSIONS
Windows: 
macOS: 
Linux/KDE Plasma: 
(available in About System)
KDE Plasma Version: 
KDE Frameworks Version: 
Qt Version: 

ADDITIONAL INFORMATION
Comment 1 jdbarnes 2021-10-27 18:21:49 UTC 
The saml handshake decoded from base 64:

<html>
<body>
<form id="myform" method="POST" action="https://testingurl.oktapreview.com/app/panw_globalprotect/ex*****d6/sso/saml">
<input type="hidden" name="SAMLRequest" value="PH...c3Q+" />
<input type="hidden" name="RelayState" value="NwM******==" />
</form>
<script>
  document.getElementById('myform').submit();
</script>
</body>
</html>

and the SAML request itself:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://vpn.host.net:443/SAML20/SP/ACS" Destination="https://testingurl.oktapreview.com/app/panw_globalprotect/ex*****1d6/sso/saml" ID="_46******53c" IssueInstant="2021-10-27T18:14:30Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://vpn.host.net:443/SAML20/SP</saml:Issuer></samlp:AuthnRequest
Comment 2 Bug Janitor Service 2023-12-21 02:20:09 UTC 
A possibly relevant merge request was started @ https://invent.kde.org/plasma/plasma-nm/-/merge_requests/316
Comment 3 Nicolas Fella 2023-12-27 15:24:33 UTC 
Git commit 828b554dd1c35755525bdc8645bbaf738075cc73 by Nicolas Fella, on behalf of Rahul Rameshbabu.
Committed on 27/12/2023 at 16:23.
Pushed by nicolasfella into branch 'master'.

Add GlobalProtect SAML based authentication support with OpenConnect VPN

Pass HTTP response headers to libopenconnect SAML handling functionality.
libopenconnect will process the headers and authenticate with GlobalProtect
gateways.

This change depends on Qt>=6.6 for the needed changes in QtWebEngine that
enable HTTP response header extraction.
Signed-off-by: Rahul Rameshbabu <sergeantsagara@protonmail.com>

M  +49   -19   vpn/openconnect/openconnectauth.cpp
M  +2    -0    vpn/openconnect/openconnectauth.h

https://invent.kde.org/plasma/plasma-nm/-/commit/828b554dd1c35755525bdc8645bbaf738075cc73
Comment 4 Ben Cooksley 2024-12-23 18:23:43 UTC 
Bulk transfer as requested in T17796