444500 – GlobalProtect SAML request/response ignored

Bug 444500 - GlobalProtect SAML request/response ignored

Summary: GlobalProtect SAML request/response ignored

Status:	RESOLVED FIXED

Alias:	None

Product:	plasma-nm
Classification:	Plasma
Component:	general (show other bugs)
Version:	5.22.5
Platform:	Fedora RPMs Linux

Importance:	NOR normal
Target Milestone:	---
Assignee:	Jan Grulich

URL:
Keywords:

Depends on:
Blocks:

Reported:	2021-10-27 17:56 UTC by jdbarnes
Modified:	2024-01-13 00:44 UTC (History)
CC List:	3 users (show)

See Also:
Latest Commit:	https://invent.kde.org/plasma/plasma-nm/-/commit/828b554dd1c35755525bdc8645bbaf738075cc73
Version Fixed In:	6.0

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description jdbarnes 2021-10-27 17:56:03 UTC

SUMMARY
Globalprotect servers that ask for SAML login do not interactively request additional information.

STEPS TO REPRODUCE
1. Create connection with openconnect gp plugin for server that requires a SAML auth
2. Attempt connect
3. Authentication always fails because SAML requests appear to be ignored

OBSERVED RESULT

POST https://vpn.host.net/global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Linux
Attempting to connect to server ip.v4.host.addr:443
Connected to ip.v4.host.addr:443
SSL negotiation with vpn.host.net
Connected to HTTPS on vpn.host.net with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
Got HTTP response: HTTP/1.1 200 OK
Date: Fri, 15 Oct 2021 21:17:58 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 2104
Connection: keep-alive
ETag: "167860b854d7"
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-FRAME-OPTIONS: DENY
Set-Cookie: PHPSESSID=e39b5e7553f960ebf2f91de23ff3bc5d; secure; HttpOnly
Set-Cookie: PHPSESSID=e39b5e7553f960ebf2f91de23ff3bc5d; secure; HttpOnly
Set-Cookie: PHPSESSID=e39b5e7553f960ebf2f91de23ff3bc5d; secure; HttpOnly
Set-Cookie: PHPSESSID=e39b5e7553f960ebf2f91de23ff3bc5d; secure; HttpOnly
Set-Cookie: PHPSESSID=e39b5e7553f960ebf2f91de23ff3bc5d; secure; HttpOnly
Set-Cookie: PHPSESSID=e39b5e7553f960ebf2f91de23ff3bc5d; secure; HttpOnly
Set-Cookie: PHPSESSID=e39b5e7553f960ebf2f91de23ff3bc5d; secure; HttpOnly
Set-Cookie: PHPSESSID=e39b5e7553f960ebf2f91de23ff3bc5d; secure; HttpOnly
Set-Cookie: PHPSESSID=e39b5e7553f960ebf2f91de23ff3bc5d; secure; HttpOnly
Set-Cookie: PHPSESSID=e39b5e7553f960ebf2f91de23ff3bc5d; secure; HttpOnly
Set-Cookie: PHPSESSID=e39b5e7553f960ebf2f91de23ff3bc5d; secure; HttpOnly
Set-Cookie: PHPSESSID=e39b5e7553f960ebf2f91de23ff3bc5d; path=/; secure; httponly
Set-Cookie: PHPSESSID=e39b5e7553f960ebf2f91de23ff3bc5d; secure; HttpOnly
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block;
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
HTTP body length:  (2104)
SAML POST authentication is required via external script.
When SAML authentication is complete, specify destination form field by appending :field_name to login URL.
Failed to parse server response
Response was:<?xml version="1.0" encoding="UTF-8" ?>
<prelogin-response>
<status>Success</status>
<ccusername></ccusername>
<autosubmit>false</autosubmit>
<msg></msg>
<newmsg></newmsg>
<authentication-message>login through Okta</authentication-message>
<username-label>Username</username-label>
<password-label>Password</password-label>
<panos-version>1</panos-version>
<saml-default-browser>yes</saml-default-browser><saml-auth-status>0</saml-auth-status>
<saml-auth-method>POST</saml-auth-method>
<saml-request-timeout>600</saml-request-timeout>
<saml-request-id>0</saml-request-id><saml-request>PG...
... very long stuff ...
...DQo=</saml-request><region>US</region>
</prelogin-response>



EXPECTED RESULT


SOFTWARE/OS VERSIONS
Windows: 
macOS: 
Linux/KDE Plasma: 
(available in About System)
KDE Plasma Version: 
KDE Frameworks Version: 
Qt Version: 

ADDITIONAL INFORMATION

Comment 1 jdbarnes 2021-10-27 18:21:49 UTC

The saml handshake decoded from base 64:

<html>
<body>
<form id="myform" method="POST" action="https://testingurl.oktapreview.com/app/panw_globalprotect/ex*****d6/sso/saml">
<input type="hidden" name="SAMLRequest" value="PH...c3Q+" />
<input type="hidden" name="RelayState" value="NwM******==" />
</form>
<script>
  document.getElementById('myform').submit();
</script>
</body>
</html>

and the SAML request itself:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://vpn.host.net:443/SAML20/SP/ACS" Destination="https://testingurl.oktapreview.com/app/panw_globalprotect/ex*****1d6/sso/saml" ID="_46******53c" IssueInstant="2021-10-27T18:14:30Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://vpn.host.net:443/SAML20/SP</saml:Issuer></samlp:AuthnRequest

Comment 2 Bug Janitor Service 2023-12-21 02:20:09 UTC

A possibly relevant merge request was started @ https://invent.kde.org/plasma/plasma-nm/-/merge_requests/316

Comment 3 Nicolas Fella 2023-12-27 15:24:33 UTC

Git commit 828b554dd1c35755525bdc8645bbaf738075cc73 by Nicolas Fella, on behalf of Rahul Rameshbabu.
Committed on 27/12/2023 at 16:23.
Pushed by nicolasfella into branch 'master'.

Add GlobalProtect SAML based authentication support with OpenConnect VPN

Pass HTTP response headers to libopenconnect SAML handling functionality.
libopenconnect will process the headers and authenticate with GlobalProtect
gateways.

This change depends on Qt>=6.6 for the needed changes in QtWebEngine that
enable HTTP response header extraction.
Signed-off-by: Rahul Rameshbabu <sergeantsagara@protonmail.com>

M  +49   -19   vpn/openconnect/openconnectauth.cpp
M  +2    -0    vpn/openconnect/openconnectauth.h

https://invent.kde.org/plasma/plasma-nm/-/commit/828b554dd1c35755525bdc8645bbaf738075cc73