dlenski / gp-saml-gui Goto Github PK
View Code? Open in Web Editor NEWInteractively authenticate to GlobalProtect VPNs that require SAML
License: GNU General Public License v3.0
Interactively authenticate to GlobalProtect VPNs that require SAML
License: GNU General Public License v3.0
Thanks for this! Unfortunately, doesn't seem to work quite right with our setup. If you let me know how to get even more verbose logs I can do that for you too. Here's the output with -v
:
Got SAML POST, opening browser...
Finished loading about:blank
Finished loading https://company.okta.com/app/panw_globalprotect/[snip]/sso/saml
Finished loading https://company.okta.com/login/sessionCookieRedirect
Finished loading https://[company-vpn].com/SAML20/SP/ACS
Got SAML relevant headers, done: {'saml-auth-status': '1'}
SAML response converted to OpenConnect command line invocation:
echo None |
openconnect --protocol=gp --user=None --usergroup=gateway:None --passwd-on-stdin [company-vpn].com/global-protect/prelogin.esp
HOST='https://[company-vpn].com/global-protect/prelogin.esp/gateway:None'
USER=None
COOKIE=None
Hi Dan,
some time ago you helped me to set up gp-saml-gui. Now something has broken and I can't use openconnect any longer.
I have gp-saml-gui
set up as follows:
gp-saml-gui --clientos=Windows --sudo-openconnect --gateway vpn-gw.my-host.com -- --csd-wrapper=/usr/lib/openconnect/hipreport.sh
Here's the exact error:
Looking for SAML auth tags in response to vpn-gw.my-host.com/ssl-vpn/prelogin.esp...
usage: gp-saml-gui [-h] [--no-verify] [-C COOKIES | -K] [-g | -p] [-c CERT] [--key KEY] [-v | -q] [-x | -P | -S] [-u] [--clientos {Mac,Linux,Windows}] [-f EXTRA] server [openconnect_extra ...]
gp-saml-gui: error: SSL error: [SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled (_ssl.c:997)
Here's https://vpn-gw.my-host.com/ssl-vpn/prelogin.esp
content:
<?xml version="1.0" encoding="UTF-8" ?>
<prelogin-response>
<status>Success</status>
<ccusername></ccusername>
<autosubmit>false</autosubmit>
<msg></msg>
<newmsg></newmsg>
<license>yes</license>
<authentication-message>Wpisz login i hasło</authentication-message>
<username-label>Username</username-label>
<password-label>Password</password-label>
<panos-version>1</panos-version>
<saml-default-browser>yes</saml-default-browser><cas-auth></cas-auth>
<saml-auth-status>0</saml-auth-status>
<saml-auth-method>REDIRECT</saml-auth-method>
<saml-request-timeout>600</saml-request-timeout>
<saml-request-id>0</saml-request-id><saml-request>REMOVED_BY_ME</saml-request><auth-api>no</auth-api><region>PL</region>
</prelogin-response>
I'm using latest OpenConnect for my OS (Arch Linux);
$ openconnect --version
OpenConnect version v9.01
Using GnuTLS 3.7.8. Features present: TPMv2, PKCS#11, RSA software token, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP
Supported protocols: anyconnect (default), nc, gp, pulse, f5, fortinet, array
Default vpnc-script (override with --script): /etc/vpnc/vpnc-script
I'm happy to provide you some more details if needed.
Cheers!
EDIT
There is a workaround: https://stackoverflow.com/a/72245418/2657875
After upgrade to webkit-gtk-2.36.x login page is blank. Thus, not possible to enter credentials and proceed with login.
Downgrade to 2.34.x fixes the problem.
Distro: Gentoo
I am using gp-saml-gui to log into a Duo SAML VPN. The authentication succeeds and I can connect to the VPN, but I receive an error during the authentication. I'm not sure what this error does or what it means, because everything seems to be working correctly despite the error.
Here's the standard output in my command line, server name and directory anonymized of course, and gp-saml-gui run with --verbose option:
Looking for SAML auth tags in response to https://vpn.example.com/ssl-vpn/prelogin.esp...
Got SAML POST, opening browser...
[REQUEST] Request for resource about:blank
Traceback (most recent call last):
File "/path/to/venv-gp-saml-gui/lib/python3.10/site-packages/gp_saml_gui.py", line 127, in on_load_changed
ct = h.get_content_type()
AttributeError: 'NoneType' object has no attribute 'get_content_type'
I have gp-saml-gui installed in a Python virtual environment.
Command line arguments are:
--allow-insecure-crypto --clientos=Windows -v --gateway vpn.example.com
just wanted to say big thank you for the perfect working and explanation!
Any idea of what is going on? I login successfully with my credentials, and after I get this error.
Got SAML result headers: {'saml-auth-status': '1'}
I've been using this application with success for some time, but suddenly I started receiving the error "Timeout was reached" when I tried to run something like:
gp-saml-gui -v --no-verify -P --gateway --clientos=Windows the.vpn.address
I checked and the VPN address can be accessed when I try it directly into a browser. Also, I've edited the code so the webview tries to access an arbitrary https URL (in my tests, https://www.google.com) and I also get the timeout. However, if I try to acess a 'http' URL, I can load the content.
I'm using ubuntu 20.04
In order to install with Portage.
I'm using @lkrms fork to get this working on mac, and it's almost working, but I'm hitting an issue during the connection process (so it shouldn't be related to his changes).
add net default: gateway **.**.**.**
is not a recognized network service.
** Error: The parameters were not valid.
Seems to be similar to the issue being reported for this other utility: https://gitlab.com/openconnect/vpnc-scripts/-/issues/45
I'm not seeing any related code where you look for a network device, however. Any pointers, and I can hack on it?
$ ./gp_saml_gui.py -P --gateway --clientos="Linux" host.vpn.net --pfs
usage: gp_saml_gui.py [-h] [--no-verify] [-C COOKIES | -K] [-g | -p] [-c CERT] [--key KEY] [-v | -q] [-x | -P | -S] [-u] [--clientos {Mac,Linux,Windows}] [-f EXTRA] server [openconnect_extra ...]
gp_saml_gui.py: error: unrecognized arguments: --pfs
$ ./gp_saml_gui.py -P --gateway --clientos="Linux" host.vpn.net --csd-wrapper=/usr/libexec/openconnect/hipreport.sh
usage: gp_saml_gui.py [-h] [--no-verify] [-C COOKIES | -K] [-g | -p] [-c CERT] [--key KEY] [-v | -q] [-x | -P | -S] [-u] [--clientos {Mac,Windows,Linux}] [-f EXTRA] server [openconnect_extra ...]
gp_saml_gui.py: error: unrecognized arguments: --csd-wrapper=/usr/libexec/openconnect/hipreport.sh
writing the command as:
./gp_saml_gui.py -P --gateway --clientos="Linux" host.vpn.net \ --csd-wrapper=/usr/libexec/openconnect/hipreport.sh
enters the saml handshake phase, but once openconnect command is generated, it is generated as
Launching OpenConnect with pkexec, equivalent to:
echo CookieTextHere |
sudo openconnect --protocol=gp [email protected] --os=linux-64 --usergroup=gateway:prelogin-cookie --passwd-on-stdin host.vpn.net ' --csd-wrapper=/usr/libexec/openconnect/hipreport.sh'
which causes openconnect to fail like so:
Too many arguments on command line
Usage: openconnect [options] <server>
Open client for multiple VPN protocols, version v8.10-6.fc34
So, I suppose I could be doing something incorrectly, or not reading something correctly. If there's a way that I can solve this problem without asking you to change code, please let me know.
I naively tried to move openconnect_extra
into the openconnect_args array, but got some kind of python list/string conversion error.
I am getting on RH7:
pip3 install https://github.com/dlenski/gp-saml-gui/archive/master.zip
Collecting https://github.com/dlenski/gp-saml-gui/archive/master.zip
Using cached https://github.com/dlenski/gp-saml-gui/archive/master.zip
Complete output from command python setup.py egg_info:
Traceback (most recent call last):
File "<string>", line 1, in <module>
File "/tmp/pip-jbakt529-build/setup.py", line 18, in <module>
long_description=open("README.md").read(),
File "/usr/lib64/python3.6/encodings/ascii.py", line 26, in decode
return codecs.ascii_decode(input, self.errors)[0]
UnicodeDecodeError: 'ascii' codec can't decode byte 0xe2 in position 4972: ordinal not in range(128)
----------------------------------------
Command "python setup.py egg_info" failed with error code 1 in /tmp/pip-jbakt529-build/
As I understand it was caused by a funny character on line 126 of README.md.
Trying to connect to vpn server at unimelb:
WEBKIT_DISABLE_COMPOSITING_MODE=1 gp-saml-gui --allow-insecure-crypto vpn.unimelb.edu.au
Setting WEBKIT_DISABLE_COMPOSITING
avoids the bug in #41.
``--allow-insecure-crypto` seems to be required for this VPN. Yuck.
This in turn works and asks me to run the following command:
echo <censored> |
sudo openconnect --protocol=gp '--useragent=PAN GlobalProtect' --allow-insecure-crypto [email protected] --os=linux-64 --usergroup=portal:prelogin-cookie --passwd-on-stdin vpn.unimelb.edu.au
POST https://vpn.unimelb.edu.au/global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Linux
Connected to 203.5.68.131:443
SSL negotiation with vpn.unimelb.edu.au
Connected to HTTPS on vpn.unimelb.edu.au with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
Enter login credentials
POST https://vpn.unimelb.edu.au/global-protect/getconfig.esp
Portal set HIP report interval to 60 minutes).
1 gateway servers available:
staff (staff-vpn-gw.unimelb.edu.au)
Please select GlobalProtect gateway.
GATEWAY: [staff]:staff
POST https://staff-vpn-gw.unimelb.edu.au/ssl-vpn/login.esp
Connected to 203.5.68.133:443
SSL negotiation with staff-vpn-gw.unimelb.edu.au
Connected to HTTPS on staff-vpn-gw.unimelb.edu.au with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
Failed to parse server response
Failed to complete authentication
At this stage I am at a bit of a loss to explain what is going on here.
The README.md shows:
SAML response converted to OpenConnect command line invocation:
echo 'blahblahblah' |
openconnect --protocol=gp --user='[email protected]' --os=win --usergroup=prelogin-cookie:gateway --passwd-on-stdin vpn.company.com
$ echo $HOST; echo $USER; echo $COOKIE; echo $OS
https://vpn.company.com/gateway:prelogin-cookie
[email protected]
blahblahblah
win
$ echo "$COOKIE" | openconnect --protocol=gp -u "$USER" --os="$OS" --passwd-on-stdin "$HOST"
Notice that the first shown openconnect invocation uses vpn.company.com
as the host.
Yet the second invocation uses the $HOST variable which has a different value: https://vpn.company.com/gateway:prelogin-cookie
Recently the "https://" and "/gateway:prelogin-cookie" parts caused my vpn connection script to fail. It was working for many months but then started failing with Failed to parse server response. Failed to complete authentication" error.
In my case, the HOST variable is set to https://vpn.example.edu/ssl-vpn/login.esp:prelogin-cookie
.
I fixed my script by changing it from:
#!/bin/bash
eval $(./gp_saml_gui.py -v --gateway --clientos=Linux vpn.example.edu)
echo "$COOKIE" \
| sudo openconnect --protocol=gp -u "$USER" --usergroup=gateway:prelogin-cookie --os="$OS" --passwd-on-stdin "$HOST"
to:
#!/bin/bash
eval $(./gp_saml_gui.py -v --gateway --clientos=Linux vpn.example.edu)
: "${HOST#*//}" # Chop off https:// from the beginning. Result will be in $_ variable
ADJUSTED_HOST=${_%%/*} # Chop off path from the end
echo "$COOKIE" \
| sudo openconnect --protocol=gp -u "$USER" --usergroup=gateway:prelogin-cookie --os="$OS" --passwd-on-stdin "$ADJUSTED_HOST"
So, I'm wondering if the HOST variable shouldn't have the "https://" and "/gateway:prelogin-cookie" parts.
Hello, I am trying to connect using the commands given, and I get:
$eval $( ./gp-saml-gui.py -v vpn.iastate.edu )
Traceback (most recent call last):
File "./gp-saml-gui.py", line 127, in <module>
xml = ET.fromstring(res.content)
File "/usr/lib64/python3.7/xml/etree/ElementTree.py", line 1315, in XML
parser.feed(text)
xml.etree.ElementTree.ParseError: mismatched tag: line 7, column 2
There is some error that I do not quite understand. Am I msissing some dependencies? I am on Fedora 30.
The man page is named "gp-saml-gui.8" (using hypens as separators)
But recently the command has switched name to "gp_saml_gui.py" (using underscores as separators)
We duplicate a bunch of stuff that openconnect knows about the GP protocol, just as openconnect-sso duplicates a bunch of stuff about the AnyConnect protocol.
Now that the SAML support has been merged into OpenConnect upstream, it would be really nice to make the openconnect CLI capable of spawning a browser in a separate process. For AnyConnect we already have its 'external browser' mode but that's very different as the SAML flow actually terminates with a redirect to http://localhost:29786/...
with the token. For the normal SAML flows we actually need a 'browser' that we can monitor and steal cookies from; we can't just launch the system browser (unless we make a nasty plugin and deal with the resulting security concerns),
So... can we make openconnect just spawn a variant of gp-saml-gui or openconnect-sso and get the cookie back from it? We already do something like that with TNCC for the DSPREAUTH
cookie; instead of just unhelpfully printing No SSO handler
, can we instead spawn something like
$WEBVIEW_SCRIPT --url $SAML_URL --final-url $SAML_FINAL_URL --cookie $SAML_TOKEN_COOKIE
... and then get the answer back from its stdout like we do with TNCC?
Using python 3.8.5 in pyenv on pop-os 20.10 (ubuntu 20.10).
I installed the apt packages specified, set my local python to 3.8.5, then did the following:
ron@pop-os:~$ pip3 install https://github.com/dlenski/gp-saml-gui/archive/master.zip
Collecting https://github.com/dlenski/gp-saml-gui/archive/master.zip
Using cached https://github.com/dlenski/gp-saml-gui/archive/master.zip
Collecting requests
Using cached requests-2.25.1-py2.py3-none-any.whl (61 kB)
Collecting pygobject
Using cached PyGObject-3.40.1.tar.gz (714 kB)
Installing build dependencies ... error
ERROR: Command errored out with exit status 1:
command: /home/ron/.pyenv/versions/3.8.5/bin/python3.8 /home/ron/.pyenv/versions/3.8.5/lib/python3.8/site-packages/pip install --ignore-installed --no-user --prefix /tmp/pip-build-env-07viv83v/overlay --no-warn-script-location --no-binary :none: --only-binary :none: -i https://pypi.org/simple -- setuptools wheel pycairo
cwd: None
Complete output (40 lines):
Collecting setuptools
Using cached setuptools-56.0.0-py3-none-any.whl (784 kB)
Collecting wheel
Using cached wheel-0.36.2-py2.py3-none-any.whl (35 kB)
Collecting pycairo
Using cached pycairo-1.20.0.tar.gz (344 kB)
Installing build dependencies: started
Installing build dependencies: finished with status 'done'
Getting requirements to build wheel: started
Getting requirements to build wheel: finished with status 'done'
Preparing wheel metadata: started
Preparing wheel metadata: finished with status 'done'
Building wheels for collected packages: pycairo
Building wheel for pycairo (PEP 517): started
Building wheel for pycairo (PEP 517): finished with status 'error'
ERROR: Command errored out with exit status 1:
command: /home/ron/.pyenv/versions/3.8.5/bin/python3.8 /home/ron/.pyenv/versions/3.8.5/lib/python3.8/site-packages/pip/_vendor/pep517/_in_process.py build_wheel /tmp/tmpataepmrk
cwd: /tmp/pip-install-tse1150j/pycairo
Complete output (15 lines):
running bdist_wheel
running build
running build_py
creating build
creating build/lib.linux-x86_64-3.8
creating build/lib.linux-x86_64-3.8/cairo
copying cairo/__init__.py -> build/lib.linux-x86_64-3.8/cairo
copying cairo/__init__.pyi -> build/lib.linux-x86_64-3.8/cairo
copying cairo/py.typed -> build/lib.linux-x86_64-3.8/cairo
running build_ext
Package cairo was not found in the pkg-config search path.
Perhaps you should add the directory containing `cairo.pc'
to the PKG_CONFIG_PATH environment variable
Package 'cairo', required by 'virtual:world', not found
Command '['pkg-config', '--print-errors', '--exists', 'cairo >= 1.15.10']' returned non-zero exit status 1.
----------------------------------------
ERROR: Failed building wheel for pycairo
Failed to build pycairo
ERROR: Could not build wheels for pycairo which use PEP 517 and cannot be installed directly
WARNING: You are using pip version 20.1.1; however, version 21.0.1 is available.
You should consider upgrading via the '/home/ron/.pyenv/versions/3.8.5/bin/python3.8 -m pip install --upgrade pip' command.
----------------------------------------
ERROR: Command errored out with exit status 1: /home/ron/.pyenv/versions/3.8.5/bin/python3.8 /home/ron/.pyenv/versions/3.8.5/lib/python3.8/site-packages/pip install --ignore-installed --no-user --prefix /tmp/pip-build-env-07viv83v/overlay --no-warn-script-location --no-binary :none: --only-binary :none: -i https://pypi.org/simple -- setuptools wheel pycairo Check the logs for full command output.
WARNING: You are using pip version 20.1.1; however, version 21.0.1 is available.
You should consider upgrading via the '/home/ron/.pyenv/versions/3.8.5/bin/python3.8 -m pip install --upgrade pip' command.
Seemed like I was missing libraries. So I installed these (over a few iterations, some may not be needed):
sudo apt install libcairo2-dev pkg-config python3-dev cairo-5c libcairo-5c-dev libcairo-gobject2 python3-cairocffi libgirepository1.0-dev
And now I get the package to install.
Hello, I recently tested this in the current Debian 12 KDE Plasma and I'm getting cannot open display
. I tried to use --external
and still does not work.
$ eval $( gp-saml-gui --gateway --allow-insecure-crypto --clientos=Windows vpn-at-somewhere.tech )
Looking for SAML auth tags in response to https://vpn-at-somewhere.tech/ssl-vpn/prelogin.esp...
Got SAML REDIRECT, opening browser...
(gp-saml-gui:154893): Gtk-WARNING **: 14:05:36.352: cannot open display:
Can anybody help me debug further this problem or maybe guide me where to look for logs.
Thank you!
I have been using gp-saml-gui on Fedora Linux in an enterprise deployment that uses Okta which in turn uses Duo for MFA. I have succeded using the usual Duo push to the Duo mobile app.
However, the flow using a Yubikey security key does not seem to work. The Duo widget shows the enrolled security key, but stalls when trying to use it. The key's LED flashes once, briefly, on insertion which I think it does whether a browser is looking for a key or not. It never gets to the part where the key LED blinks and I am supposed to touch the button to confirm my presence.
The same Okta+Duo+Yubikey account flow works when logging into other apps such as GSuite in a regular Firefox session in the same laptop. This makes me think it is the webkit browser that is the difference, but I am having trouble figuring out the status of related work in the webkit issue tracker. It seems like a lot of FIDO/CTAP/webauthn work has been done in prior years, but I cannot tell whether this is something that ought to work yet in this scenario.
Note, this is testing with the consumer-focused "Yubikey security key" which does FIDO/FIDO2 only, without any writable storage.
Hi @dlenski !
After upgrading from Ubuntu 20.04 to 22.04 I get the following SSL error when connecting to my office VPN :
gp-saml-gui -v --clientos=Windows zehost.domain.com
Looking for SAML auth tags in response to https://zehost.domain.com/global-protect/prelogin.esp...
usage: gp-saml-gui [-h] [--no-verify] [-C COOKIES | -K] [-g | -p] [-c CERT] [--key KEY] [-v | -q] [-x | -P | -S] [-u] [--clientos {Linux,Mac,Windows}] [-f EXTRA] server [openconnect_extra ...]
gp-saml-gui: error: SSL error: [SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled (_ssl.c:997)
(same results using "--clientos=Linux", for unknown reasons, IT is asking us to use "--clientos=Windows")
It's been working fine for almost 2 years under Ubuntu 20.04. Works fine from a VM using Ubuntu 21.10. Fails in a VM with Ubuntu 22.04. Any hints on how I could gather more details about this ? Looking for ways to document the issue further to either bring info here, or on Ubuntu side.
Thanks !
Hey,
i'm trying to connect to our work-VPN (PAN GlobalProtect), but i'm getting the following error:
> eval $( ./gp-saml-gui.py -v remote.company.com --external -vvv )
Looking for SAML auth tags in response to https://remote.company.com/ssl-vpn/prelogin.esp...
usage: gp-saml-gui.py [-h] [--no-verify] [-C COOKIES | -K] [-p | -g] [-c CERT]
[--key KEY] [-v] [-x] [-u]
server [extra [extra ...]]
gp-saml-gui.py: error: This does not appear to be a SAML prelogin response (<saml-auth-method> or <saml-request> tags missing)
Your other tool (what-vpn) gives me the following information (ran it three times, and gave me three different(?) responses):
> what-vpn remote.company.com
remote.company.com: PAN GlobalProtect (gateway+portal+SAML REDIRECT)
> what-vpn remote.company.com
remote.company.com: PAN GlobalProtect (SAML REDIRECT+gateway+portal)
> what-vpn remote.company.com
remote.company.com: PAN GlobalProtect (portal+SAML REDIRECT+gateway)
Do you have any idea why i'm getting that mesasge?
Thanks
If you have problems check this:
Ok, I did get my case to work by creating ~/ssl.conf containing:
_openssl_conf = openssl_init
[openssl_init]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
Options = UnsafeLegacyRenegotiation_
And then did OPENSSL_CONF=~/ssl.conf do-my-command
at https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1963834
Hi dlenski
I see that gobject not support fido2 as chromium based browser. Can you chang to pyqt5?
Best regards
Severus
I currently need to connect to Fortinet, so far I do it through copying the cookie but it is tedious.Find your very interesting project.And I'm sure you could have something similar to capture the Cokie for Fortinet.
Hi there: I was using gp-saml-gui to connect to my University Global Protect Vpn site until yesterday.
The behaviour is like this: I run the script
eval $(OPENSSL_CONF=~/ssl.conf gp-saml-gui --gateway --clientos=Windows vpn.mysite.com)
and, I can auth with my Microsoft Authenticator app on mobile and I see: Login succesful!
But after that, nothing happens.
On the console, last message is:
[PAGE ] Finished loading page https://XXXXXX.es/SAML20/SP/ACS
After a lot of researching, and running gp-saml-gui with -x parameter, If I open the login window with other browser I see that the cookie is embedded on the webpage as a comment, and is not returned on the Http headers. I think that this is the root of the problem:
I don't know what is the version running on the Vpn appliance as it depends on other Department, but I know that it was updated since two days ago. Now that I know that this is the problem, when I get the "Login succesful" window I press F12 and I copy the prelogin cookie :-(. Its so slow but it works..
I write this post if anybody has the same problem...
Don't come any farther than with the '$ gp-saml-gui' command.
It is not valid.
$ pip3 install https://github.com/dlenski/gp-saml-gui/archive/master.zip
Collecting https://github.com/dlenski/gp-saml-gui/archive/master.zip
Downloading https://github.com/dlenski/gp-saml-gui/archive/master.zip
$ gp-saml-gui
gp-saml-gui: command not found
$ usage: gp-saml-gui [-h] [--no-verify] [-C COOKIES | -K] [-p | -g] [-c CERT]
-K]: command not found
-g]: command not found
usage:: command not found
$ [--key KEY] [-v | -q] [-x | -P | -S] [-u]
-P: command not found
-S]: command not found
-q]: command not found
[--key: command not found
$ [--clientos {Windows,Linux,Mac}] [-f EXTRA]
[--clientos: command not found
$ server [openconnect_extra [openconnect_extra ...]]
Defaulting to port 8080Listening on port 8080
just upgraded my Fedora 36 to Fedora 37 et voila'
`
gp-saml-gui -S --gateway --no-verify --clientos=Linux xxx.xxxxxx.it
Traceback (most recent call last):
File "/home/maurizio/.local/bin/gp-saml-gui", line 33, in
sys.exit(load_entry_point('gp-saml-gui==0.1', 'console_scripts', 'gp-saml-gui')())
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/maurizio/.local/bin/gp-saml-gui", line 22, in importlib_load_entry_point
for entry_point in distribution(dist_name).entry_points
^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib64/python3.11/importlib/metadata/init.py", line 964, in distribution
return Distribution.from_name(distribution_name)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib64/python3.11/importlib/metadata/init.py", line 561, in from_name
raise PackageNotFoundError(name)
importlib.metadata.PackageNotFoundError: No package metadata was found for gp-saml-gui
`
I'm trying to install an application that uses GTK, which requires python3 bindings and I'm not able to find a way to install WebKit2. Since I'm using homebrew as a package manager so installing via macports may not be a viable solution. Additionally, I've seen that it hasn't worked for other's using macports as well.
I installed gtk+3
and pygobject
which fulfill most of the other dependency requirements, allow me to pip install the script, but I get the following error message when trying to execute it:
raise ValueError('Namespace %s not available' % namespace)
ValueError: Namespace Webkit2 not available
Are there any other ways to install WebKit2
on MacOS?
Hello all,
for SAML authentication we need to send the client certificate to the keycloak instance.
This is not implemented in the class "SAMLLoginView" yet.
I could not find a way to implement this so far either.
https://lazka.github.io/pgi-docs/WebKit2-4.0/mapping.html
Any ideas would be appreciated.
webkit browser error:
{"error_description":"X509 client certificate is missing.","error":"invalid_request"}
Hi Daniel,
I recently started getting the SSL certificate error "unable to get local issuer certificate". I'm told that the old 2048-bit certificates were renewed as 4096-bit certificates. Could the change of encryption be causing this problem?
Thanks,
Hamish
Upgraded to ubuntu 22.04 from 21.04 and worked my way through #42 and then I get the error above on login screen with the following trace. I'm using webkit2gtk-driver/jammy-updates,jammy-security 2.36.6-0ubuntu0.22.04.1 amd64.
Got SAML POST, opening browser...
(gp-saml-gui:18783): GLib-GIO-DEBUG: 10:46:50.281: _g_io_module_get_default: Found default implementation gvfs (GDaemonVfs) for ‘gio-vfs’
(process:18790): GLib-GIO-DEBUG: 10:46:51.058: Failed to initialize portal (GNetworkMonitorPortal) for gio-network-monitor: Not using portals
(process:18790): GLib-GIO-DEBUG: 10:46:51.063: _g_io_module_get_default: Found default implementation networkmanager (GNetworkMonitorNM) for ?gio-network-monitor?
(process:18790): GLib-GIO-DEBUG: 10:46:51.172: _g_io_module_get_default: Found default implementation gvfs (GDaemonVfs) for ?gio-vfs?
(process:18790): GLib-GIO-DEBUG: 10:46:51.178: Failed to initialize portal (GPowerProfileMonitorPortal) for gio-power-profile-monitor: Not using portals
(process:18790): GLib-GIO-DEBUG: 10:46:51.178: _g_io_module_get_default: Found default implementation dbus (GPowerProfileMonitorDBus) for ?gio-power-profile-monitor?
(WebKitWebProcess:18797): GLib-GIO-DEBUG: 10:46:51.375: _g_io_module_get_default: Found default implementation gvfs (GDaemonVfs) for ‘gio-vfs’
(WebKitWebProcess:18797): GLib-GIO-DEBUG: 10:46:51.784: Failed to initialize portal (GPowerProfileMonitorPortal) for gio-power-profile-monitor: Not using portals
(WebKitWebProcess:18797): GLib-GIO-DEBUG: 10:46:51.785: _g_io_module_get_default: Found default implementation dbus (GPowerProfileMonitorDBus) for ‘gio-power-profile-monitor’
[PAGE ] Finished loading page about:blank
(process:18790): GLib-GIO-DEBUG: 10:46:52.185: _g_io_module_get_default: Found default implementation environment (GEnvironmentProxyResolver) for ?gio-proxy-resolver?
(process:18790): GLib-GIO-DEBUG: 10:46:52.196: _g_io_module_get_default: Found default implementation gnutls (GTlsBackendGnutls) for ?gio-tls-backend?
(process:18790): GLib-GIO-DEBUG: 10:46:52.215: GSocketClient: Starting new address enumeration
(process:18790): GLib-GIO-DEBUG: 10:46:52.216: GSocketClient: Address enumeration completed (out of addresses)
(process:18790): GLib-GIO-DEBUG: 10:46:52.216: GSocketClient: Address enumeration failed: (null)
**
GLib-GIO:ERROR:../../../gio/gsocketclient.c:1982:g_socket_client_enumerator_callback: assertion failed: (data->error_info->best_error)
Bail out! GLib-GIO:ERROR:../../../gio/gsocketclient.c:1982:g_socket_client_enumerator_callback: assertion failed: (data->error_info->best_error)
[PAGE ] Finished loading page
(process:18829): GLib-GIO-DEBUG: 10:46:53.791: Failed to initialize portal (GNetworkMonitorPortal) for gio-network-monitor: Not using portals
(process:18829): GLib-GIO-DEBUG: 10:46:53.842: _g_io_module_get_default: Found default implementation networkmanager (GNetworkMonitorNM) for ?gio-network-monitor?
(process:18829): GLib-GIO-DEBUG: 10:46:53.853: _g_io_module_get_default: Found default implementation gvfs (GDaemonVfs) for ?gio-vfs?
(process:18829): GLib-GIO-DEBUG: 10:46:53.949: Failed to initialize portal (GPowerProfileMonitorPortal) for gio-power-profile-monitor: Not using portals
(process:18829): GLib-GIO-DEBUG: 10:46:53.949: _g_io_module_get_default: Found default implementation dbus (GPowerProfileMonitorDBus) for ?gio-power-profile-monitor?
Using python3 (3.7.7) on Ubuntu 19.04 the system was unable to find the gi
package even after install python3-gi
.
I was able to get the script working by installing pgi via pip3 install pgi
and making the following changes:
#!/usr/bin/env python3
-import gi
+import pgi
import argparse
import pprint
import urllib
@@ -15,9 +15,9 @@ from sys import stderr, platform
from binascii import a2b_base64, b2a_base64
from urllib.parse import urlparse, urlencode
-gi.require_version('Gtk', '3.0')
-gi.require_version('WebKit2', '4.0')
-from gi.repository import Gtk, WebKit2, GLib
+pgi.require_version('Gtk', '3.0')
+pgi.require_version('WebKit2', '4.0')
+from pgi.repository import Gtk, WebKit2, GLib
As a more permanent fix, how would we feel about aliasing pgi as gi
if the pgi
package is installed? If pgi is not present then attempt to import gi
?
I get a page that says Login Successful!
and inspecting the DOM (if I go to the URL manually) shows roughly:
<html>
<head></head>
<body>Login Successful!</body
<!--
<saml-auth-status>1</saml-auth-status>
<prelogin-cookie>REDACTEDBAASE64==</prelogin-cookie>
<saml-username>READACTEDUSERNAME/saml-username>
<saml-slo>yes</saml-slo>
<saml-SessionNotOnOrAfter></saml-SessionNotOnOrAfter>
-->
</html>
gp-saml-gui
doesn't seem to know how to parse this; the browser window is still open waiting for me to do more things, but there is no button to press.
Looks like our vpn gateways were updated and now UI pop-up throws Error performing TLS handshake: The Diffie-Hellman prime sent by the server is not acceptable (not long enough).
while the log throws (process:25926): libsoup-WARNING **: 18:53:45.235: gssapi step failed: Unspecified GSS failure. Minor code may provide more information: SPNEGO cannot find mechanisms to negotiate Traceback (most recent call last): File "./gp_saml_gui.py", line 108, in get_saml_headers h = rs.get_http_headers() AttributeError: 'NoneType' object has no attribute 'get_http_headers'
Do you have any idea how to fix it? I looked to openconnect directly but didn't found tls/ciphers options
Thanks for the really useful script!
I've found I run into issues when using a security key. After entering my username and password, the authentication process brings me to Duo's page, which requires a pop-up when using a security key. However, the current GUI doesn't allow pop-ups.
Would it be possible to allow them? I think the relevant setting here is WebKit2.Settings.props.javascript_can_open_windows_automatically
, though I don't know much about WebKit2.
I'm guessing that if pop-ups were allowed, I would next run into issue #26, so maybe this request is moot. The work-around you proposed there (using OTP instead of webauthn) could work.
I had installed gp-saml-gui
from AUR and I can connect and make the SAML Auth, but i cannot ping or access restrict hosts, by restrict hosts I mean those wich is supposed to be avaliable from the VPN.
Please, tell me if I need to share some log. I not copy-paste the output of the command here because I am not sure if it is sensible.
Thanks!
Hi Daniel,
As of today, after signing in with 2FA I'm left with a window that says Unacceptable TLS certificate
. I then close that window and gp-saml-gui terminates. Everything worked fine Friday last week. I guess that they've made some changes over the weekend.
Looking for SAML auth tags in response to https://vpn.company.com/ssl-vpn/prelogin.esp...
Got SAML POST, opening browser...
[PAGE ] Finished loading page about:blank
[PAGE ] Finished loading page https://xxx.okta.com/app/panw_globalprotect/exkmuy9k5dT1PXpfd0x7/sso/saml
[PAGE ] Finished loading page https://xxx.okta.com/login/sessionCookieRedirect
[PAGE ] Finished loading page https://xxx.okta.com/login/sessionCookieRedirect
(process:12775): GLib-GIO-CRITICAL **: g_tls_connection_get_peer_certificate_errors: assertion 'G_IS_TLS_CONNECTION (conn)' failed
Traceback (most recent call last):
File "/path/to/gp-saml-gui/gp-saml-gui.py", line 103, in get_saml_headers
h = rs.get_http_headers()
AttributeError: 'NoneType' object has no attribute 'get_http_headers'
[PAGE ] Finished loading page about:blank
Login window closed by user.
Any ideas?
Thanks,
Hamish
The install - start up works great. I get a pop up and get logged in, then Global Protect responds with a list of 'Gateway servers" and errors out with: "Resource temporarily unavailable"
How do I specific the gateway on teh command line, I have tried --gateway="US Centrral"
gp-saml-gui -S remote.precisionplanting.com --clientos=Windows --gateway='US Central'
usage: gp-saml-gui [-h] [--no-verify] [-C COOKIES | -K] [-g | -p] [-c CERT] [--key KEY] [-v | -q] [-x | -P | -S] [-u] [--clientos {Windows,Linux,Mac}] [-f EXTRA]
server [openconnect_extra [openconnect_extra ...]]
gp-saml-gui: error: argument -g/--gateway: ignored explicit argument 'US Central'
Log of connection attempt:
gp-saml-gui -S remote.precisionplanting.com --clientos=Windows
Looking for SAML auth tags in response to https://remote.precisionplanting.com/global-protect/prelogin.esp...
Got SAML REDIRECT, opening browser...
[PAGE ] Finished loading page https://login.microsoftonline.com/<snip>
[PAGE ] Finished loading page https://remote.precisionplanting.com/SAML20/SP/ACS
[SAML ] Got SAML result headers: {'saml-username': '[email protected]', 'prelogin-cookie': 'R/4xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxLl', 'saml-slo': 'no', 'saml-auth-status': '1
'}
[SAML ] Got all required SAML headers, done.
IMPORTANT: We started with SAML auth to the portal interface, but received a cookie that's often associated with the gateway interface. You should probably try both.
SAML response converted to OpenConnect command line invocation:
echo R/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxl |
sudo openconnect --protocol=gp [email protected] --os=win --usergroup=portal:prelogin-cookie --passwd-on-stdin remote.precisionplanting.com
SAML response converted to test-globalprotect-login.py invocation:
test-globalprotect-login.py [email protected] --clientos=Windows -p '' \ https://remote.precisionplanting.com/global-protect/getconfig.esp prelogin-cookie=R/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxl
Launching OpenConnect with sudo, equivalent to:
echo R/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxl |
sudo openconnect --protocol=gp [email protected] --os=win --usergroup=portal:prelogin-cookie --passwd-on-stdin remote.precisionplanting.com
POST https://remote.precisionplanting.com/global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Windows
Connected to xxx.xxx.xx.xx:443
SSL negotiation with remote.precisionplanting.com
Connected to HTTPS on remote.precisionplanting.com
SAML login is required via REDIRECT to this URL:
https://login.microsoftonline.com/<snip>
Enter login credentials
POST https://remote.precisionplanting.com/global-protect/getconfig.esp
21 gateway servers available:
France North (fr-precisio.gp2j22jyc2c.gw.gpcloudservice.com)
US West (us-west-g-precisio.gp2j22jyc2c.gw.gpcloudservice.com)
Canada West (canada-west-precisio.gp2j22jyc2c.gw.gpcloudservice.com)
Germany Central (germany-central-precisio.gp2j22jyc2c.gw.gpcloudservice.com)
US East (us-east-g-precisio.gp2j22jyc2c.gw.gpcloudservice.com)
US Southeast (us-southeast-g-precisio.gp2j22jyc2c.gw.gpcloudservice.com)
US Central (us-central-g-precisio.gp2j22jyc2c.gw.gpcloudservice.com)
Canada East (canada-east-precisio.gp2j22jyc2c.gw.gpcloudservice.com)
Andorra (andorra-precisio.gp2j22jyc2c.gw.gpcloudservice.com)
Bulgaria (bulgaria-precisio.gp2j22jyc2c.gw.gpcloudservice.com)
Croatia (croatia-precisio.gp2j22jyc2c.gw.gpcloudservice.com)
France South (france-south-precisio.gp2j22jyc2c.gw.gpcloudservice.com)
Germany North (germany-north-precisio.gp2j22jyc2c.gw.gpcloudservice.com)
Hungary (hungary-precisio.gp2j22jyc2c.gw.gpcloudservice.com)
Moldova (moldova-precisio.gp2j22jyc2c.gw.gpcloudservice.com)
Romania (romania-precisio.gp2j22jyc2c.gw.gpcloudservice.com)
Ukraine (ukraine-precisio.gp2j22jyc2c.gw.gpcloudservice.com)
Canada Central (canada-central-precisio.gp2j22jyc2c.gw.gpcloudservice.com)
Argentina (argentina-precisio.gp2j22jyc2c.gw.gpcloudservice.com)
Brazil East (brazil-east-precisio.gp2j22jyc2c.gw.gpcloudservice.com)
Brazil Central (brazil-central-precisio.gp2j22jyc2c.gw.gpcloudservice.com)
Please select GlobalProtect gateway.
GATEWAY: [France North|US West|Canada West|Germany Central|US East|US Southeast|US Central|Canada East|Andorra|Bulgaria|Croatia|France South|Germany North|Hungary|Moldova|Romania|Ukraine|Canada Central|Argentina
|Brazil East|Brazil Central]:fgets (stdin): Resource temporarily unavailable
When i trying to connect to vpn "gp-saml-gui --gateway --clientos=Linux mysite" i get an error:
Traceback (most recent call last):
File "/home/di/.local/bin/gp-saml-gui", line 33, in <module>
sys.exit(load_entry_point('gp-saml-gui==0.1', 'console_scripts', 'gp-saml-gui')())
File "/home/di/.local/lib/python3.5/site-packages/gp_saml_gui.py", line 263, in main
slv = SAMLLoginView(uri, html, verbose=args.verbose, cookies=args.cookies, verify=args.verify)
File "/home/di/.local/lib/python3.5/site-packages/gp_saml_gui.py", line 36, in __init__
Gtk.init()
TypeError: init() missing 1 required positional argument: 'argv'
My system is Linux Mint 19.1.
I've tried it on clean fresh install of Linux Mint 20.1 and it works fine. Also I've tried to update python to 3.9 but without luck.
Hi Dan, first of all thanks for the gp-saml-gui tool, which works for me to establish a VPN connection via a GlobalProtect gateway after an SAML authentication detour through login.microsoftonline.com.
But I had to apply a minor modification, as gp_saml_gui.py seems to use client certificates supplied with the -c
option only for the TLS connections that it establishes itself - it does not pass the certificate to openconnect via openconnect's -c
option:
+++ b/gp_saml_gui.py
@@ -336,6 +337,10 @@ def main(args = None):
if args.user_agent:
openconnect_args.insert(1, "--useragent="+args.user_agent)
+ if args.cert is not None:
+ openconnect_args.insert(1, args.cert[0])
+ openconnect_args.insert(1, "-c")
+
openconnect_command = ''' echo {} |\n sudo openconnect {}'''.format(
quote(cv), " ".join(map(quote, openconnect_args)))
Above change may not be as generic as one might want it to be, but it worked for my case where the GP gateway expects me to present a valid client certificate.
BTW: While debugging this, I noticed that the output of print('''Launching OpenConnect with {}, equivalent to:\n{}''' ...
is somewhat misleading when the openconnect conversation with the GP gateway expects some input from standard-in - using --passwd-on-stdin
along with piped input the way suggested by the printed command line does not work then - while the direct invocation of openconnect by the gp_saml_gui.py script works just fine.
Hi @dlenski,
Python: 3.6.8
OS: Ubuntu 18.04
Got some output below
eval $(./gp-saml-gui.py -v vpn.okta_test.com)
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 601, in urlopen
chunked=chunked)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 346, in _make_request
self._validate_conn(conn)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 852, in _validate_conn
conn.connect()
File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 326, in connect
ssl_context=context)
File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 332, in ssl_wrap_socket
return context.wrap_socket(sock, server_hostname=server_hostname)
File "/usr/lib/python3.6/ssl.py", line 407, in wrap_socket
_context=self, _session=session)
File "/usr/lib/python3.6/ssl.py", line 817, in __init__
self.do_handshake()
File "/usr/lib/python3.6/ssl.py", line 1077, in do_handshake
self._sslobj.do_handshake()
File "/usr/lib/python3.6/ssl.py", line 689, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)
During handling of the above exception, another exception occurred:
By adding -no-verify
I got Unacceptable TLS certificate on the GUI.
Hello,
I am trying to connect to a GlobalProtect gateway with SAML authentication from my Fedora 34 workstation (all our other laptops are running Windows).
The SAML authentication seems to work fine and the cookie is extracted, but the openconnect
commands fails with the error Failed to obtain WebVPN cookie.
$ openconnect --version
OpenConnect version v8.10-6.fc34
Using GnuTLS 3.7.2. Features present: TPM, TPMv2, PKCS#11, RSA software token, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP
Supported protocols: anyconnect (default), nc, gp, pulse
$ eval $( gp-saml-gui --gateway --clientos=Windows GATEWAY )
Looking for SAML auth tags in response to https://GATEWAY/ssl-vpn/prelogin.esp...
Got SAML REDIRECT, opening browser...
[PAGE ] Finished loading page https://login.microsoftonline.com/9a839770-e9fc-4737-905c-370f65b0e224/saml2?SAMLRequest=lZJNb8IwDIb%2FSpV7m5CmXxGt1MFhSEyraLfDLlMIKURqEpakEz9%2FFDaNXZB2tPz6sf3ac8fUcKT16A96Iz5G4XxwUoN29JIowWg1NcxJRzVTwlHPaVs%2FrSmOED1a4w03Awhq54T10uiF0W5UwrbCfkouXjbrEhy8PzoK4X4wWzZMRYL7UJ0iNVpxirhRlJAYTliMYNvAetGCYHkeRWo2QX8Rg9lLHSnJrXGm90YPUouJAAuWx0WWoVAUPQ9JFmdhgRIexhnq02SLBMYETjthEKyWJXhHSb5LUpEmeZb2MUkTMuvzHedpkWaEZf1Z5twoVtp5pn0JMMKzEBUhJt0MUTyjCXkDQfNtwYPUO6n39%2F3aXkWOPnZdEzbPbQeCV2HdZcWzAFTzaUJ6aWxv7nAfy37MB9V%2FrZ7Dm4bVNfr7DdUX&RelayState=PskUAEXKg2A1MzcyNDliNWVhZjVhMTM4Yzc4YmMzMmJlZTY0OTA2NQ%3D%3D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=eyPQIuYoBry%2BEaRRfg9%2FQynmUWFyGstKL6pUFjNWB2dOStn%2Bk%2FXsobcaE%2Ffuv%2FCCqRkJaw%2FWVtIpzFBV%2BnuPzFdMmWa9B6DSS5unET%2Fu2Uda5xStkuGSVkvgfMKGqxpaYiT0cq7DL3nyTZsUvCC5xgPr42LNbxE%2FVm5PNsK74QxaqhsamNjukLh0RwdZ4JPWvPx4FrdSKU9md5rwuq%2BDb8u2iPjJPPCGCS0gHcNkS8bpvD5GapP5YhQ2sreq6DROF%2BZUvUP4oZQ5ro8xwVk%2BdWd1oC6PGm9KIqYm8bleWgXqZ%2Flb3Iwf8RFO4iKl7G0yaO03oxHdRi88MwKTYk0fDg%3D%3D
(process:91394): libsoup-WARNING **: 13:22:08.196: gssapi step failed: No credentials were supplied, or the credentials were unavailable or inaccessible: SPNEGO cannot find mechanisms to negotiate
[PAGE ] Finished loading page https://login.microsoftonline.com/9a839770-e9fc-4737-905c-370f65b0e224/login
[PAGE ] Finished loading page https://GATEWAY/SAML20/SP/ACS
[SAML ] Got SAML result headers: {'saml-username': 'USERNAME', 'prelogin-cookie': '/JuUOCCnHwIXYYcRVLMpjakokE67Q2dF5VTNblR7p0wDHV0BBgE43UZ5Z8Y0zNbe', 'saml-slo': 'no', 'saml-auth-status': '1'}
[SAML ] Got all required SAML headers, done.
SAML response converted to OpenConnect command line invocation:
echo /JuUOCCnHwIXYYcRVLMpjakokE67Q2dF5VTNblR7p0wDHV0BBgE43UZ5Z8Y0zNbe |
sudo openconnect --protocol=gp --user=USERNAME --os=win --usergroup=gateway:prelogin-cookie --passwd-on-stdin GATEWAY
SAML response converted to test-globalprotect-login.py invocation:
test-globalprotect-login.py --user=USERNAME --clientos=Windows -p '' \
https://GATEWAY/ssl-vpn/login.esp prelogin-cookie=/JuUOCCnHwIXYYcRVLMpjakokE67Q2dF5VTNblR7p0wDHV0BBgE43UZ5Z8Y0zNbe
openconnect
command (redacted GATEWAY)$ echo /JuUOCCnHwIXYYcRVLMpjakokE67Q2dF5VTNblR7p0wDHV0BBgE43UZ5Z8Y0zNbe |
sudo openconnect --protocol=gp --user=USERNAME --os=win --usergroup=gateway:prelogin-cookie --passwd-on-stdin GATEWAY
POST https://GATEWAY/ssl-vpn/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Windows
Connected to 10.29.255.65:443
SSL negotiation with GATEWAY
Connected to HTTPS on GATEWAY with ciphersuite (TLS1.2)-(RSA)-(AES-256-GCM)
Enter login credentials
POST https://GATEWAY/ssl-vpn/login.esp
GlobalProtect login returned authentication-source=COMPANY.COM_AZURE-SAML_Auth-Prof
GlobalProtect login returned connection-type=notunnel (expected tunnel)
GlobalProtect login returned usually-equals-4=4
GlobalProtect login returned usually-equals-unknown=unknown
Please report 1 unexpected values above (of which 1 fatal) to <[email protected]>
Failed to obtain WebVPN cookie
Do you know what could be the issue or how I could get some more logs?
First of all, thank you for this excellent project. I found it via this discussion: dlenski/openconnect#116
I'm using an up-to-date Arch Linux (as of 2020-09-22) and had to install the following to use this project:
gtk3
gobject-introspection
webkit2gtk
Hi there!
I stumbled upon this nice little script cause in my company we are moving to SAML login.
One thing that I had in my previous openconnect
setup was:
--script="$vpn_slice_bin --verbose $my_tunneled_domains
I wonder if you are open to a contribution that adds a parameter, say --openconnect-script
option to be able to forward the above down to openconnect
.
Thanks for this and please let me know your thoughts!
gp-saml-gui/test-globalprotect-login.py
Line 143 in 451cdf8
Can you wrap this assignment like gateways = sorted(...)
? That would make the output so much easier to read!
The extra arguments are not recognized in my version of gp-saml-gui.
If I invoke it like mentionned in the readme, i get the following error:
gp-saml-gui --gateway --clientos=Linux vpn.company --sudo-openconnect -- --csd-wrapper=hipreport.sh
usage: gp-saml-gui [-h] [--no-verify] [-C COOKIES | -K] [-g | -p] [-c CERT] [--key KEY] [-v | -q] [-x | -P | -S] [-u] [--clientos {Windows,Mac,Linux}]
[-f EXTRA] [--allow-insecure-crypto] [--user-agent USER_AGENT]
server [openconnect_extra ...]
gp-saml-gui: error: unrecognized arguments: -- --csd-wrapper=hipreport.sh
What am I missing?
Hi,
I am having basically the exact same issue like here: #6
Problem is, the solution from that thread doesn't work for me.
Where can I find the second cookie and how exactly am I supposed to use it? Where to input it?
Output of what-vpn is
PAN GlobalProtect (portal+portal wants SAML REDIRECT)
Commands I issue that got me the furthest are:
Command 1:
eval $( gp-saml-gui --portal --clientos=Windows gp-portal.companyserver.com)
Output:
Looking for SAML auth tags in response to https://gp-portal.companyserver.com/global-protect/prelogin.esp...
Got SAML REDIRECT, opening browser...
[PAGE ] Finished loading page ##Censored URL
[PAGE ] Finished loading page https://login.microsoftonline.com/92e84ceb-fbfd-47ab-be52-080c6b87953f/login
[PAGE ] Finished loading page https://login.microsoftonline.com/common/SAS/ProcessAuth
[PAGE ] Finished loading page https://gp-portal.companyserver.com/SAML20/SP/ACS
[SAML ] Got SAML result headers: {'saml-username': 'myusername', 'prelogin-cookie': 'oBw1XGMBSt/LwN5DgZ9hGulhd5o8A4Y3DT1E8f8/dbiqpQ5+xoZKy7RMtVDN+h7P', 'saml-slo': 'no', 'saml-auth-status': '1'}
[SAML ] Got all required SAML headers, done.
IMPORTANT: We started with SAML auth to the portal interface, but received a cookie that's often associated with the gateway interface. You should probably try both.
SAML response converted to OpenConnect command line invocation:
echo oBw1XGMBSt/LwN5DgZ9hGulhd5o8A4Y3DT1E8f8/dbiqpQ5+xoZKy7RMtVDN+h7P |
sudo openconnect --protocol=gp '--useragent=PAN GlobalProtect' --user=myusername --os=win --usergroup=portal:prelogin-cookie --passwd-on-stdin gp-portal.companyserver.com
SAML response converted to test-globalprotect-login.py invocation:
test-globalprotect-login.py --user=myusername --clientos=Windows -p '' \
https://gp-portal.companyserver.com/global-protect/getconfig.esp prelogin-cookie=oBw1XGMBSt/LwN5DgZ9hGulhd5o8A4Y3DT1E8f8/dbiqpQ5+xoZKy7RMtVDN+h7P
Command 2:
openconnect -vvv --protocol=gp '--useragent=PAN GlobalProtect' --user=myusername --os=win --usergroup=portal:prelogin-cookie --passwd-on-stdin gp-portal.companyserver.com
oBw1XGMBSt/LwN5DgZ9hGulhd5o8A4Y3DT1E8f8/dbiqpQ5+xoZKy7RMtVDN+h7P ##Cookie on line 2
Output 2:
POST https://gp-portal.companyserver.com/global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Windows
Attempting to connect to server 1.2.3.4:443 ##Dummy IP, had to censor.
Connected to 1.2.3.4:443 ##Dummy IP, had to censor.
SSL negotiation with gp-portal.companyserver.com
Connected to HTTPS on gp-portal.companyserver.com
Got HTTP response: HTTP/1.1 200 OK
Date: Mon, 24 Oct 2022 12:27:30 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 1518
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-FRAME-OPTIONS: DENY
Set-Cookie: PHPSESSID=704bc0af7c423ec0110f6edcccb40e49; secure; HttpOnly
Set-Cookie: PHPSESSID=704bc0af7c423ec0110f6edcccb40e49; secure; HttpOnly
Set-Cookie: PHPSESSID=704bc0af7c423ec0110f6edcccb40e49; secure; HttpOnly
Set-Cookie: PHPSESSID=704bc0af7c423ec0110f6edcccb40e49; secure; HttpOnly
Set-Cookie: PHPSESSID=704bc0af7c423ec0110f6edcccb40e49; secure; HttpOnly
Set-Cookie: PHPSESSID=704bc0af7c423ec0110f6edcccb40e49; secure; HttpOnly
Set-Cookie: PHPSESSID=704bc0af7c423ec0110f6edcccb40e49; secure; HttpOnly
Set-Cookie: PHPSESSID=704bc0af7c423ec0110f6edcccb40e49; secure; HttpOnly
Set-Cookie: PHPSESSID=704bc0af7c423ec0110f6edcccb40e49; secure; HttpOnly
Set-Cookie: PHPSESSID=704bc0af7c423ec0110f6edcccb40e49; secure; HttpOnly
Set-Cookie: PHPSESSID=704bc0af7c423ec0110f6edcccb40e49; secure; HttpOnly
Set-Cookie: PHPSESSID=704bc0af7c423ec0110f6edcccb40e49; path=/; secure; httponly
Set-Cookie: PHPSESSID=704bc0af7c423ec0110f6edcccb40e49; secure; HttpOnly
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
HTTP body length: (1518)
Login form: "Username: " user(TEXT)=(null), "prelogin-cookie: " prelogin-cookie(PASSWORD)
SAML login is required via REDIRECT to this URL:
##Removed URL for privacy purposes.
Enter login credentials
POST https://gp-portal.companyserver.com/global-protect/getconfig.esp
Got HTTP response: HTTP/1.1 200 OK
Date: Mon, 24 Oct 2022 12:27:30 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 36230
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-FRAME-OPTIONS: DENY
Set-Cookie: PHPSESSID=227b0d1bfae458f97d24350e7d19e909; path=/; secure; HttpOnly
Set-Cookie: PHPSESSID=227b0d1bfae458f97d24350e7d19e909; path=/; secure; HttpOnly
Set-Cookie: PHPSESSID=227b0d1bfae458f97d24350e7d19e909; path=/; secure; HttpOnly
Set-Cookie: PHPSESSID=227b0d1bfae458f97d24350e7d19e909; path=/; secure; HttpOnly
Set-Cookie: PHPSESSID=227b0d1bfae458f97d24350e7d19e909; path=/; secure; HttpOnly
Set-Cookie: PHPSESSID=227b0d1bfae458f97d24350e7d19e909; path=/; secure; HttpOnly
Set-Cookie: PHPSESSID=227b0d1bfae458f97d24350e7d19e909; path=/; secure; HttpOnly
Set-Cookie: PHPSESSID=227b0d1bfae458f97d24350e7d19e909; path=/; secure; HttpOnly
Set-Cookie: PHPSESSID=227b0d1bfae458f97d24350e7d19e909; path=/; secure; HttpOnly
Set-Cookie: PHPSESSID=227b0d1bfae458f97d24350e7d19e909; path=/; secure; HttpOnly
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
HTTP body length: (36230)
4 gateway servers available:
Germany - Frankfurt (frankfurt-gp-companyserver.com)
Great Britain - London (london-gp-companyserver.com)
Spain - Madrid (madrid-gp-companyserver.com)
Sweden - Stockholm (stockholm-gp-companyserver.com)
Please select GlobalProtect gateway.
GATEWAY: [Germany - Frankfurt|Great Britain - London|Spain - Madrid|Sweden - Stockholm]:Great Britain - London ##I just paste the gateway here
POST https://london-gp-companyserver.com/ssl-vpn/login.esp
Attempting to connect to server 4.3.2.1:443 ##Gateway IP, censored
Connected to 4.3.2.1:443 ##Gateway IP, censored
SSL negotiation with london-gp-companyserver.com
Connected to HTTPS on london-gp-companyserver.com
Got HTTP response: HTTP/1.1 200 OK
Date: Mon, 24 Oct 2022 12:27:44 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 128
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-FRAME-OPTIONS: DENY
Set-Cookie: PHPSESSID=184f2f5f1170699f62195f44abda3714; secure; HttpOnly
Set-Cookie: PHPSESSID=184f2f5f1170699f62195f44abda3714; secure; HttpOnly
Set-Cookie: PHPSESSID=184f2f5f1170699f62195f44abda3714; secure; HttpOnly
Set-Cookie: PHPSESSID=184f2f5f1170699f62195f44abda3714; secure; HttpOnly
Set-Cookie: PHPSESSID=184f2f5f1170699f62195f44abda3714; secure; HttpOnly
Set-Cookie: PHPSESSID=184f2f5f1170699f62195f44abda3714; secure; HttpOnly
Set-Cookie: PHPSESSID=184f2f5f1170699f62195f44abda3714; secure; HttpOnly
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
HTTP body length: (128)
Authentication failure: Invalid username or password
Failed to obtain WebVPN cookie
Thank you!
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.