SUMMARY I have to connect to a GlobalConnect VPN which is protected by Microsoft SSO. The SSO login does not show any errors fine but after the MFA verification I am just thrown back to the initial screen where I have to enter my username. I verified via gp-saml-gui that this isn't a general OpenConnect issue. I then enabled the Developer Tools for kded (by setting the proper environment variable as documented at https://doc.qt.io/qt-6/qtwebengine-debugging.html#qt-webengine-developer-tools via `systemctl --user edit plasma-kded6`) and there I discovered that the SAML flow actually resulted in the typical "Login Successful!" screen (cf. screenshot). It looks like the applet then replaces the QtWebEngine with a new instance which retries the login flow. STEPS TO REPRODUCE 1. Create a GlobalConnect VPN connection to a Portal which is configured for Microsoft SSO. 2. Connect, follow the login flow. OBSERVED RESULT After the MFA is verified the initial login srceen appears again. EXPECTED RESULT Connection established SOFTWARE/OS VERSIONS Operating System: KDE neon 6.3 KDE Plasma Version: 6.3.5 KDE Frameworks Version: 6.14.0 Qt Version: 6.9.0 Kernel Version: 6.11.0-25-generic (64-bit) Graphics Platform: Wayland ADDITIONAL INFORMATION openconnect 9.12-1build5
Created attachment 181627 [details] Screenshot
This https://invent.kde.org/exzombie/plasma-nm/-/blob/v6.2.2/vpn/openconnect/openconnectauth.cpp?ref_type=tags#L540 looks like it should pass the correct info to https://gitlab.com/openconnect/openconnect/-/blob/v9.12/gpst.c?ref_type=tags#L1372. I just wonder if those other signals here https://invent.kde.org/exzombie/plasma-nm/-/blob/v6.2.2/vpn/openconnect/openconnectauth.cpp?ref_type=tags#L639 which also trigger openconnect_webview_load_changed but without any headers might cause an issue.
*** This bug has been marked as a duplicate of bug 479937 ***
Not a duplicate of 479937: It looks like that one doesn't use SSO and the OpenConnect client is actually successfully started, it just fails to connect properly or the NM widget fails to detect that state. In this case the SSO embedded browser window pops up, authentication there is successful but at the end the flow just restarts. Ie. the successful authentication is not detected (should happen based on the headers). The journal only shows the "org.kde.plasma.nm.kded: Unhandled VPN connection state change: NetworkManager::VpnConnection::NeedAuth" from that other report bbut nothing afterwards. There is some apparmor DENIED logged for kded6 though: Aug 20 07:31:00 localhost wpa_supplicant[1038]: wl: CTRL-EVENT-SIGNAL-CHANGE above=1 signal=-43 noise=9999 txrate=400000 Aug 20 07:31:09 localhost NetworkManager[1167]: <info> [1755667869.0807] audit: op="statistics" interface="wl" ifindex=3 args="2000" pid=1715 uid=1000 result="success" Aug 20 07:31:15 localhost plasmashell[1715]: QDBusObjectPath: invalid path "" Aug 20 07:31:15 localhost NetworkManager[1167]: <info> [1755667875.8701] vpn[0x5ffcee2de320,34f18b94-b6bb-46c4-a7db-1db0e5a129ae,"VPN"]: starting openconnect Aug 20 07:31:15 localhost NetworkManager[1167]: <info> [1755667875.8736] audit: op="connection-activate" uuid="34f18b94-b6bb-46c4-a7db-1db0e5a129ae" name="VPN" pid=1715 uid=1000 result="success" Aug 20 07:31:15 localhost kded6[1628]: org.kde.plasma.nm.kded: Unhandled VPN connection state change: NetworkManager::VpnConnection::NeedAuth Aug 20 07:31:15 localhost kwalletd6[1857]: kf.wallet.kwalletd: "Item not found" Aug 20 07:31:16 localhost generate[84079]: Permissions for /etc/netplan/01-network-manager-all.yaml are too open. Netplan configuration should NOT be accessible by others. Aug 20 07:31:16 localhost systemd[1]: Reloading requested from client PID 84082 ('systemctl') (unit NetworkManager.service)... Aug 20 07:31:16 localhost systemd[1]: Reloading... Aug 20 07:31:17 localhost systemd[1]: Reloading finished in 779 ms. Aug 20 07:31:17 localhost systemd[1]: anacron.service - Run anacron jobs was skipped because of an unmet condition check (ConditionACPower=true). Aug 20 07:31:17 localhost systemd[1]: apt-daily.service - Daily apt download activities was skipped because of an unmet condition check (ConditionACPower=true). Aug 20 07:31:17 localhost systemd[1]: Starting motd-news.service - Message of the Day... Aug 20 07:31:17 localhost systemd[1]: motd-news.service: Deactivated successfully. Aug 20 07:31:17 localhost systemd[1]: Finished motd-news.service - Message of the Day. Aug 20 07:31:17 localhost kwalletd6[1857]: kf.wallet.kwalletd: "Item not found" Aug 20 07:31:29 localhost kernel: audit: type=1400 audit(1755667889.152:185): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=1628 comm="kded6" requested="userns_creat> Aug 20 07:31:29 localhost kernel: audit: type=1400 audit(1755667889.165:186): apparmor="DENIED" operation="capable" class="cap" profile="unprivileged_userns" pid=84217 comm="kded6" capability=21 capname="sys_admin"