Git Product home page Git Product logo

gp-saml-gui's Introduction

gp-saml-gui

Test Workflow Status

Table of Contents

Introduction

This is a helper script to allow you to interactively login to a GlobalProtect VPN that uses SAML authentication, so that you can subsequently connect with OpenConnect. (The GlobalProtect protocol is supported in OpenConnect v8.0 or newer; v8.06+ is recommended.)

Interactive login is, unfortunately, sometimes a necessary alternative to automated login via scripts such as zdave/openconnect-gp-okta.

This script is known to work with many GlobalProtect VPNs using the major single-sign-on (SSO) providers:

  • Okta (sign-in URLs typically https://<company>.okta.com/login/*)
  • Microsoft (sign-in URLs typically https://login.microsoftonline.com/*)

Please search and file issues if you can report success or failure with other SSO SAML providers.

Installation

First, non-Python Dependencies

gp-saml-gui uses GTK, which requires Python 3 bindings.

On Debian / Ubuntu, these are packaged as python3-gi, gir1.2-gtk-3.0, and gir1.2-webkit2-4.1 (or gir1.2-webkit2-4.0 for older distributions).

$ sudo apt install python3-gi gir1.2-gtk-3.0 'gir1.2-webkit2-4.*'

(Note that the older version, WebKit2GTK 4.0, is no longer maintained; more details in #92.)

On Fedora (and possibly RHEL/CentOS) the matching libraries are packaged in python3-gobject, gtk3-devel, and webkit2gtk3-devel:

$ sudo dnf install python3-gobject gtk3-devel webkit2gtk3-devel

On Arch Linux, the libraries are packaged in gtk3, gobject-introspection and webkit2gtk:

$ sudo pacman -S gtk3 gobject-introspection webkit2gtk

Second, gp-saml-gui itself

Install gp-saml-gui itself using pip:

$ pip3 install https://github.com/dlenski/gp-saml-gui/archive/master.zip
...
$ gp-saml-gui
usage: gp-saml-gui [-h] [--no-verify] [-C COOKIES | -K] [-p | -g] [-c CERT]
                   [--key KEY] [-v | -q] [-x | -P | -S] [-u]
                   [--clientos {Windows,Linux,Mac}] [-f EXTRA]
                   server [openconnect_extra [openconnect_extra ...]]
gp-saml-gui: error: the following arguments are required: server, openconnect_extra

How to use

Specify the GlobalProtect server URL (portal or gateway) and optional arguments, such as --clientos=Windows (because many GlobalProtect servers don't require SAML login, but apparently omit it in their configuration for OSes other than Windows).

This script will pop up a GTK WebKit2 WebView window alongside your terminal window (see this screenshot). After you successfully complete the SAML login via web forms, the script will output HOST, USER, COOKIE, and OS variables in a form that can be used by OpenConnect (similar to the output of openconnect --authenticate):

$ eval $( gp-saml-gui --gateway --clientos=Windows vpn.company.com )
Got SAML POST content, opening browser...
Finished loading about:blank...
Finished loading https://company.okta.com/app/panw_globalprotect/deadbeefFOOBARba1234/sso/saml...
Finished loading https://company.okta.com/login/sessionCookieRedirect...
Finished loading https://vpn.qorvo.com/SAML20/SP/ACS...
Got SAML relevant headers, done: {'prelogin-cookie': 'blahblahblah', 'saml-username': '[email protected]', 'saml-slo': 'no', 'saml-auth-status': '1'}

SAML response converted to OpenConnect command line invocation:

    echo 'blahblahblah' |
        openconnect --protocol=gp --user='[email protected]' --os=win --usergroup=gateway:prelogin-cookie --passwd-on-stdin vpn.company.com

$ echo $HOST; echo $USER; echo $COOKIE; echo $OS
https://vpn.company.com/gateway:prelogin-cookie
[email protected]
blahblahblah
win

$ echo "$COOKIE" | openconnect --protocol=gp -u "$USER" --os="$OS" --passwd-on-stdin "$HOST"

If you specify either the -P/--pkexec-openconnect or -S/--sudo-openconnect options, the script will automatically invoke OpenConnect as described, using either pkexec from Polkit or sudo, as specified.

Extra Arguments to OpenConnect

Extra arguments needed for OpenConnect can be specified by adding -- to the command line, and then appending these. For example:

$ gp-saml-gui -P --gateway --clientos=Windows vpn.company.com -- --csd-wrapper=hip-report.sh
…
Launching OpenConnect with pkexec, equivalent to:
    echo blahblahblahlongrandomcookievalue |
        sudo openconnect --protocol=gp [email protected] --os=win --usergroup=gateway:prelogin-cookie --passwd-on-stdin vpn.company.com
<pkexec authentication dialog pops up>
<openconnect runs>

License

GPLv3 or newer

gp-saml-gui's People

Contributors

bytecommander avatar davel avatar dimitripapadopoulos avatar dktrkranz avatar dlenski avatar dmakeienko avatar fface32 avatar jasonaowen avatar lukebakken avatar mchehab avatar mildsunrise avatar tysonandre avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

aclindsa jasonaowen jonathansaetre madars mforde84 vzakharchenko tysonandre academo dmakeienko jannumies junkfactory namiwa willfroning silveraid davel zakiharis mikesart ksaikiranr bitsikas jamestwebber ikelos stevenchoo tk425 luizcieslak luizkun abg1979 pombredanne sd2k9 svfrd dimitripapadopoulos 9cvele3 girivs82 bferrema fface32 undx lkrms coldcoff bytecommander schrotim seriv uishon polw1 iamkroot datensparsamkeit clesiorki2018 allanadair staropram gqshell ehrenfeu sebmaynard nitrogl c0nd4 arthurcgc mchehab giangdip2410 ajcasagrande jbicha bugfood carlosonunez mildsunrise pyeatt

gp-saml-gui's Issues

README.md should avoid non-ascii characters

I am getting on RH7:

pip3 install https://github.com/dlenski/gp-saml-gui/archive/master.zip
Collecting https://github.com/dlenski/gp-saml-gui/archive/master.zip
  Using cached https://github.com/dlenski/gp-saml-gui/archive/master.zip
    Complete output from command python setup.py egg_info:
    Traceback (most recent call last):
      File "<string>", line 1, in <module>
      File "/tmp/pip-jbakt529-build/setup.py", line 18, in <module>
        long_description=open("README.md").read(),
      File "/usr/lib64/python3.6/encodings/ascii.py", line 26, in decode
        return codecs.ascii_decode(input, self.errors)[0]
    UnicodeDecodeError: 'ascii' codec can't decode byte 0xe2 in position 4972: ordinal not in range(128)
    
    ----------------------------------------
Command "python setup.py egg_info" failed with error code 1 in /tmp/pip-jbakt529-build/

As I understand it was caused by a funny character on line 126 of README.md.

$ gp-saml-gui command not valid after gp-saml-gui install

Don't come any farther than with the '$ gp-saml-gui' command.
It is not valid.

$ pip3 install https://github.com/dlenski/gp-saml-gui/archive/master.zip
Collecting https://github.com/dlenski/gp-saml-gui/archive/master.zip
Downloading https://github.com/dlenski/gp-saml-gui/archive/master.zip

  • 164 kB 175 kB/s
    Requirement already satisfied: pygobject in /usr/lib/python3/dist-packages (from gp-saml-gui==0.1) (3.36.0)
    Requirement already satisfied: requests in /usr/lib/python3/dist-packages (from gp-saml-gui==0.1) (2.22.0)
    Requirement already satisfied: pycairo>=1.11.1 in /usr/lib/python3/dist-packages (from pygobject->gp-saml-gui==0.1) (1.16.2)
    Building wheels for collected packages: gp-saml-gui
    Building wheel for gp-saml-gui (setup.py) ... done
    Created wheel for gp-saml-gui: filename=gp_saml_gui-0.1-py3-none-any.whl size=22563 sha256=b55dafecbba7a98bc15f2956cc1de8d035a036324816dc54a4f6813829fdb877
    Stored in directory: /tmp/pip-ephem-wheel-cache-aa1pi5st/wheels/e2/0f/fd/0fe4e06555dce4a18ca14842b18d0f07c8fba37c309af8695e
    Successfully built gp-saml-gui
    Installing collected packages: gp-saml-gui
    WARNING: The script gp-saml-gui is installed in '/home/nicolas/.local/bin' which is not on PATH.
    Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.
    Successfully installed gp-saml-gui-0.1

$ gp-saml-gui
gp-saml-gui: command not found
$ usage: gp-saml-gui [-h] [--no-verify] [-C COOKIES | -K] [-p | -g] [-c CERT]
-K]: command not found
-g]: command not found
usage:: command not found
$ [--key KEY] [-v | -q] [-x | -P | -S] [-u]
-P: command not found
-S]: command not found
-q]: command not found
[--key: command not found
$ [--clientos {Windows,Linux,Mac}] [-f EXTRA]
[--clientos: command not found
$ server [openconnect_extra [openconnect_extra ...]]
Defaulting to port 8080Listening on port 8080

man page has wrong file name

The man page is named "gp-saml-gui.8" (using hypens as separators)

But recently the command has switched name to "gp_saml_gui.py" (using underscores as separators)

SSL error : "SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED"

Hi @dlenski !

After upgrading from Ubuntu 20.04 to 22.04 I get the following SSL error when connecting to my office VPN :

gp-saml-gui -v --clientos=Windows zehost.domain.com
Looking for SAML auth tags in response to https://zehost.domain.com/global-protect/prelogin.esp...
usage: gp-saml-gui [-h] [--no-verify] [-C COOKIES | -K] [-g | -p] [-c CERT] [--key KEY] [-v | -q] [-x | -P | -S] [-u] [--clientos {Linux,Mac,Windows}] [-f EXTRA] server [openconnect_extra ...]
gp-saml-gui: error: SSL error: [SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled (_ssl.c:997)

(same results using "--clientos=Linux", for unknown reasons, IT is asking us to use "--clientos=Windows")

It's been working fine for almost 2 years under Ubuntu 20.04. Works fine from a VM using Ubuntu 21.10. Fails in a VM with Ubuntu 22.04. Any hints on how I could gather more details about this ? Looking for ways to document the issue further to either bring info here, or on Ubuntu side.

Thanks !

RFE: spawn from openconnect itself

We duplicate a bunch of stuff that openconnect knows about the GP protocol, just as openconnect-sso duplicates a bunch of stuff about the AnyConnect protocol.

Now that the SAML support has been merged into OpenConnect upstream, it would be really nice to make the openconnect CLI capable of spawning a browser in a separate process. For AnyConnect we already have its 'external browser' mode but that's very different as the SAML flow actually terminates with a redirect to http://localhost:29786/... with the token. For the normal SAML flows we actually need a 'browser' that we can monitor and steal cookies from; we can't just launch the system browser (unless we make a nasty plugin and deal with the resulting security concerns),

So... can we make openconnect just spawn a variant of gp-saml-gui or openconnect-sso and get the cookie back from it? We already do something like that with TNCC for the DSPREAUTH cookie; instead of just unhelpfully printing No SSO handler, can we instead spawn something like
$WEBVIEW_SCRIPT --url $SAML_URL --final-url $SAML_FINAL_URL --cookie $SAML_TOKEN_COOKIE
... and then get the answer back from its stdout like we do with TNCC?

Arch Linux dependencies

First of all, thank you for this excellent project. I found it via this discussion: dlenski/openconnect#116

I'm using an up-to-date Arch Linux (as of 2020-09-22) and had to install the following to use this project:

gtk3
gobject-introspection
webkit2gtk

webkit2: x509 client certificate

Hello all,

for SAML authentication we need to send the client certificate to the keycloak instance.
This is not implemented in the class "SAMLLoginView" yet.
I could not find a way to implement this so far either.

https://lazka.github.io/pgi-docs/WebKit2-4.0/mapping.html

Any ideas would be appreciated.

webkit browser error:
{"error_description":"X509 client certificate is missing.","error":"invalid_request"}

Hook up openconnect's --script

Hi there!

I stumbled upon this nice little script cause in my company we are moving to SAML login.

One thing that I had in my previous openconnect setup was:

--script="$vpn_slice_bin --verbose $my_tunneled_domains

I wonder if you are open to a contribution that adds a parameter, say --openconnect-script option to be able to forward the above down to openconnect.

Thanks for this and please let me know your thoughts!

Web prompt does not work on Wayland

Hello, I'm new here.

I was trying gp-saml-gui and it works perfect on X11 but on Wayland I cannot see the form lo login with Azure
Screenshot_20220321_174259

I don't know if this is an issue with Wayland or gp-saml-gui, maybe if someone can give me a hand, please?

Thanks and greetings!

Code throws up errors

Hello, I am trying to connect using the commands given, and I get:

 $eval $( ./gp-saml-gui.py -v vpn.iastate.edu )
Traceback (most recent call last):
  File "./gp-saml-gui.py", line 127, in <module>
    xml = ET.fromstring(res.content)
  File "/usr/lib64/python3.7/xml/etree/ElementTree.py", line 1315, in XML
    parser.feed(text)
xml.etree.ElementTree.ParseError: mismatched tag: line 7, column 2

There is some error that I do not quite understand. Am I msissing some dependencies? I am on Fedora 30.

Tested in Debian 12 and it does not open display

Hello, I recently tested this in the current Debian 12 KDE Plasma and I'm getting cannot open display. I tried to use --external and still does not work.

$ eval $( gp-saml-gui --gateway --allow-insecure-crypto --clientos=Windows vpn-at-somewhere.tech )
Looking for SAML auth tags in response to https://vpn-at-somewhere.tech/ssl-vpn/prelogin.esp...
Got SAML REDIRECT, opening browser...

(gp-saml-gui:154893): Gtk-WARNING **: 14:05:36.352: cannot open display:

Can anybody help me debug further this problem or maybe guide me where to look for logs.
Thank you!

TypeError: init() missing 1 required positional argument: 'argv' on Linux Mint 19

When i trying to connect to vpn "gp-saml-gui --gateway --clientos=Linux mysite" i get an error:

Traceback (most recent call last):
  File "/home/di/.local/bin/gp-saml-gui", line 33, in <module>
    sys.exit(load_entry_point('gp-saml-gui==0.1', 'console_scripts', 'gp-saml-gui')())
  File "/home/di/.local/lib/python3.5/site-packages/gp_saml_gui.py", line 263, in main
    slv = SAMLLoginView(uri, html, verbose=args.verbose, cookies=args.cookies, verify=args.verify)
  File "/home/di/.local/lib/python3.5/site-packages/gp_saml_gui.py", line 36, in __init__
    Gtk.init()
TypeError: init() missing 1 required positional argument: 'argv'

My system is Linux Mint 19.1.
I've tried it on clean fresh install of Linux Mint 20.1 and it works fine. Also I've tried to update python to 3.9 but without luck.

"Timeout was reached" error

I've been using this application with success for some time, but suddenly I started receiving the error "Timeout was reached" when I tried to run something like:

gp-saml-gui -v --no-verify -P --gateway --clientos=Windows the.vpn.address

I checked and the VPN address can be accessed when I try it directly into a browser. Also, I've edited the code so the webview tries to access an arbitrary https URL (in my tests, https://www.google.com) and I also get the timeout. However, if I try to acess a 'http' URL, I can load the content.

I'm using ubuntu 20.04

OpenConnect returns list of 'gateway servers" how to respond?

The install - start up works great. I get a pop up and get logged in, then Global Protect responds with a list of 'Gateway servers" and errors out with: "Resource temporarily unavailable"

How do I specific the gateway on teh command line, I have tried --gateway="US Centrral"

gp-saml-gui -S remote.precisionplanting.com --clientos=Windows --gateway='US Central'
usage: gp-saml-gui [-h] [--no-verify] [-C COOKIES | -K] [-g | -p] [-c CERT] [--key KEY] [-v | -q] [-x | -P | -S] [-u] [--clientos {Windows,Linux,Mac}] [-f EXTRA]
                   server [openconnect_extra [openconnect_extra ...]]
gp-saml-gui: error: argument -g/--gateway: ignored explicit argument 'US Central'

Log of connection attempt:

gp-saml-gui -S remote.precisionplanting.com --clientos=Windows              
Looking for SAML auth tags in response to https://remote.precisionplanting.com/global-protect/prelogin.esp...
Got SAML REDIRECT, opening browser...                                                                    
[PAGE   ] Finished loading page https://login.microsoftonline.com/<snip>                                       
[PAGE   ] Finished loading page https://remote.precisionplanting.com/SAML20/SP/ACS
[SAML   ] Got SAML result headers: {'saml-username': '[email protected]', 'prelogin-cookie': 'R/4xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxLl', 'saml-slo': 'no', 'saml-auth-status': '1
'}                                                                                                                                                                                                                 
[SAML   ] Got all required SAML headers, done.                                                           
IMPORTANT: We started with SAML auth to the portal interface, but received a cookie that's often associated with the gateway interface. You should probably try both.
                                                                                                         
                                                                                                                                                                                                                   
SAML response converted to OpenConnect command line invocation:                                          
                                                                                                                                                                                                                   
    echo R/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxl |                                                                                                                                        
        sudo openconnect --protocol=gp [email protected] --os=win --usergroup=portal:prelogin-cookie --passwd-on-stdin remote.precisionplanting.com                                               
                                                                                                         
SAML response converted to test-globalprotect-login.py invocation:                
                                                                                                                                                                                                                   
    test-globalprotect-login.py [email protected] --clientos=Windows -p '' \                                                                                                                               https://remote.precisionplanting.com/global-protect/getconfig.esp prelogin-cookie=R/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxl
                                                                                                                                                                                                                   
Launching OpenConnect with sudo, equivalent to:                                                          
    echo R/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxl |                                                                                                                                        
        sudo openconnect --protocol=gp [email protected] --os=win --usergroup=portal:prelogin-cookie --passwd-on-stdin remote.precisionplanting.com
POST https://remote.precisionplanting.com/global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Windows
Connected to xxx.xxx.xx.xx:443                                                                           
SSL negotiation with remote.precisionplanting.com                                                                                                                                                                  
Connected to HTTPS on remote.precisionplanting.com
SAML login is required via REDIRECT to this URL:
        https://login.microsoftonline.com/<snip>
Enter login credentials
POST https://remote.precisionplanting.com/global-protect/getconfig.esp
21 gateway servers available:
  France North (fr-precisio.gp2j22jyc2c.gw.gpcloudservice.com)
  US West (us-west-g-precisio.gp2j22jyc2c.gw.gpcloudservice.com)
  Canada West (canada-west-precisio.gp2j22jyc2c.gw.gpcloudservice.com)
  Germany Central (germany-central-precisio.gp2j22jyc2c.gw.gpcloudservice.com)
  US East (us-east-g-precisio.gp2j22jyc2c.gw.gpcloudservice.com)
  US Southeast (us-southeast-g-precisio.gp2j22jyc2c.gw.gpcloudservice.com)
  US Central (us-central-g-precisio.gp2j22jyc2c.gw.gpcloudservice.com)
  Canada East (canada-east-precisio.gp2j22jyc2c.gw.gpcloudservice.com)
  Andorra (andorra-precisio.gp2j22jyc2c.gw.gpcloudservice.com)
  Bulgaria (bulgaria-precisio.gp2j22jyc2c.gw.gpcloudservice.com)
  Croatia (croatia-precisio.gp2j22jyc2c.gw.gpcloudservice.com)
  France South (france-south-precisio.gp2j22jyc2c.gw.gpcloudservice.com)
  Germany North (germany-north-precisio.gp2j22jyc2c.gw.gpcloudservice.com)
  Hungary (hungary-precisio.gp2j22jyc2c.gw.gpcloudservice.com)
  Moldova (moldova-precisio.gp2j22jyc2c.gw.gpcloudservice.com)
  Romania (romania-precisio.gp2j22jyc2c.gw.gpcloudservice.com)
  Ukraine (ukraine-precisio.gp2j22jyc2c.gw.gpcloudservice.com)
  Canada Central (canada-central-precisio.gp2j22jyc2c.gw.gpcloudservice.com)
  Argentina (argentina-precisio.gp2j22jyc2c.gw.gpcloudservice.com)
  Brazil East (brazil-east-precisio.gp2j22jyc2c.gw.gpcloudservice.com)
  Brazil Central (brazil-central-precisio.gp2j22jyc2c.gw.gpcloudservice.com)
Please select GlobalProtect gateway.
GATEWAY: [France North|US West|Canada West|Germany Central|US East|US Southeast|US Central|Canada East|Andorra|Bulgaria|Croatia|France South|Germany North|Hungary|Moldova|Romania|Ukraine|Canada Central|Argentina
|Brazil East|Brazil Central]:fgets (stdin): Resource temporarily unavailable

Sort gateways

gp-saml-gui/test-globalprotect-login.py

Line 143 in 451cdf8

gateways = [(e.find('description').text, e.get('name')) for e in set(chain(xml.findall('gateways/external/list/entry'), xml.findall('gateways6/external/list/entry')))]

Can you wrap this assignment like gateways = sorted(...)? That would make the output so much easier to read!

extra commands not properly parsed/passed 

$ ./gp_saml_gui.py -P --gateway --clientos="Linux" host.vpn.net --pfs
usage: gp_saml_gui.py [-h] [--no-verify] [-C COOKIES | -K] [-g | -p] [-c CERT] [--key KEY] [-v | -q] [-x | -P | -S] [-u] [--clientos {Mac,Linux,Windows}] [-f EXTRA] server [openconnect_extra ...]
gp_saml_gui.py: error: unrecognized arguments: --pfs

$ ./gp_saml_gui.py -P --gateway --clientos="Linux" host.vpn.net --csd-wrapper=/usr/libexec/openconnect/hipreport.sh
usage: gp_saml_gui.py [-h] [--no-verify] [-C COOKIES | -K] [-g | -p] [-c CERT] [--key KEY] [-v | -q] [-x | -P | -S] [-u] [--clientos {Mac,Windows,Linux}] [-f EXTRA] server [openconnect_extra ...]
gp_saml_gui.py: error: unrecognized arguments: --csd-wrapper=/usr/libexec/openconnect/hipreport.sh

writing the command as:
./gp_saml_gui.py -P --gateway --clientos="Linux" host.vpn.net \ --csd-wrapper=/usr/libexec/openconnect/hipreport.sh
enters the saml handshake phase, but once openconnect command is generated, it is generated as


Launching OpenConnect with pkexec, equivalent to:
    echo CookieTextHere |
        sudo openconnect --protocol=gp [email protected] --os=linux-64 --usergroup=gateway:prelogin-cookie --passwd-on-stdin host.vpn.net ' --csd-wrapper=/usr/libexec/openconnect/hipreport.sh'

which causes openconnect to fail like so:

Too many arguments on command line
Usage:  openconnect [options] <server>
Open client for multiple VPN protocols, version v8.10-6.fc34

So, I suppose I could be doing something incorrectly, or not reading something correctly. If there's a way that I can solve this problem without asking you to change code, please let me know.

I naively tried to move openconnect_extra into the openconnect_args array, but got some kind of python list/string conversion error.

Webkit encountered an internal issue on login screen after upgrading to ubuntu 22.04

Upgraded to ubuntu 22.04 from 21.04 and worked my way through #42 and then I get the error above on login screen with the following trace. I'm using webkit2gtk-driver/jammy-updates,jammy-security 2.36.6-0ubuntu0.22.04.1 amd64.

Got SAML POST, opening browser...
(gp-saml-gui:18783): GLib-GIO-DEBUG: 10:46:50.281: _g_io_module_get_default: Found default implementation gvfs (GDaemonVfs) for ‘gio-vfs’
(process:18790): GLib-GIO-DEBUG: 10:46:51.058: Failed to initialize portal (GNetworkMonitorPortal) for gio-network-monitor: Not using portals
(process:18790): GLib-GIO-DEBUG: 10:46:51.063: _g_io_module_get_default: Found default implementation networkmanager (GNetworkMonitorNM) for ?gio-network-monitor?
(process:18790): GLib-GIO-DEBUG: 10:46:51.172: _g_io_module_get_default: Found default implementation gvfs (GDaemonVfs) for ?gio-vfs?
(process:18790): GLib-GIO-DEBUG: 10:46:51.178: Failed to initialize portal (GPowerProfileMonitorPortal) for gio-power-profile-monitor: Not using portals
(process:18790): GLib-GIO-DEBUG: 10:46:51.178: _g_io_module_get_default: Found default implementation dbus (GPowerProfileMonitorDBus) for ?gio-power-profile-monitor?
(WebKitWebProcess:18797): GLib-GIO-DEBUG: 10:46:51.375: _g_io_module_get_default: Found default implementation gvfs (GDaemonVfs) for ‘gio-vfs’
(WebKitWebProcess:18797): GLib-GIO-DEBUG: 10:46:51.784: Failed to initialize portal (GPowerProfileMonitorPortal) for gio-power-profile-monitor: Not using portals
(WebKitWebProcess:18797): GLib-GIO-DEBUG: 10:46:51.785: _g_io_module_get_default: Found default implementation dbus (GPowerProfileMonitorDBus) for ‘gio-power-profile-monitor’
[PAGE   ] Finished loading page about:blank
(process:18790): GLib-GIO-DEBUG: 10:46:52.185: _g_io_module_get_default: Found default implementation environment (GEnvironmentProxyResolver) for ?gio-proxy-resolver?
(process:18790): GLib-GIO-DEBUG: 10:46:52.196: _g_io_module_get_default: Found default implementation gnutls (GTlsBackendGnutls) for ?gio-tls-backend?
(process:18790): GLib-GIO-DEBUG: 10:46:52.215: GSocketClient: Starting new address enumeration
(process:18790): GLib-GIO-DEBUG: 10:46:52.216: GSocketClient: Address enumeration completed (out of addresses)
(process:18790): GLib-GIO-DEBUG: 10:46:52.216: GSocketClient: Address enumeration failed: (null)
**
GLib-GIO:ERROR:../../../gio/gsocketclient.c:1982:g_socket_client_enumerator_callback: assertion failed: (data->error_info->best_error)
Bail out! GLib-GIO:ERROR:../../../gio/gsocketclient.c:1982:g_socket_client_enumerator_callback: assertion failed: (data->error_info->best_error)
[PAGE   ] Finished loading page 
(process:18829): GLib-GIO-DEBUG: 10:46:53.791: Failed to initialize portal (GNetworkMonitorPortal) for gio-network-monitor: Not using portals
(process:18829): GLib-GIO-DEBUG: 10:46:53.842: _g_io_module_get_default: Found default implementation networkmanager (GNetworkMonitorNM) for ?gio-network-monitor?
(process:18829): GLib-GIO-DEBUG: 10:46:53.853: _g_io_module_get_default: Found default implementation gvfs (GDaemonVfs) for ?gio-vfs?
(process:18829): GLib-GIO-DEBUG: 10:46:53.949: Failed to initialize portal (GPowerProfileMonitorPortal) for gio-power-profile-monitor: Not using portals
(process:18829): GLib-GIO-DEBUG: 10:46:53.949: _g_io_module_get_default: Found default implementation dbus (GPowerProfileMonitorDBus) for ?gio-power-profile-monitor?

Getting None for USER and COOKIE

Thanks for this! Unfortunately, doesn't seem to work quite right with our setup. If you let me know how to get even more verbose logs I can do that for you too. Here's the output with -v:

Got SAML POST, opening browser...
Finished loading about:blank
Finished loading https://company.okta.com/app/panw_globalprotect/[snip]/sso/saml
Finished loading https://company.okta.com/login/sessionCookieRedirect
Finished loading https://[company-vpn].com/SAML20/SP/ACS
Got SAML relevant headers, done: {'saml-auth-status': '1'}


SAML response converted to OpenConnect command line invocation:

    echo None |
        openconnect --protocol=gp --user=None --usergroup=gateway:None --passwd-on-stdin [company-vpn].com/global-protect/prelogin.esp

HOST='https://[company-vpn].com/global-protect/prelogin.esp/gateway:None'
USER=None
COOKIE=None

Extra Arguments not recognized

The extra arguments are not recognized in my version of gp-saml-gui.

If I invoke it like mentionned in the readme, i get the following error:

gp-saml-gui --gateway --clientos=Linux vpn.company  --sudo-openconnect -- --csd-wrapper=hipreport.sh
usage: gp-saml-gui [-h] [--no-verify] [-C COOKIES | -K] [-g | -p] [-c CERT] [--key KEY] [-v | -q] [-x | -P | -S] [-u] [--clientos {Windows,Mac,Linux}]
                   [-f EXTRA] [--allow-insecure-crypto] [--user-agent USER_AGENT]
                   server [openconnect_extra ...]
gp-saml-gui: error: unrecognized arguments: -- --csd-wrapper=hipreport.sh

What am I missing?

Newer Mac version having an openconnect connection error.

I'm using @lkrms fork to get this working on mac, and it's almost working, but I'm hitting an issue during the connection process (so it shouldn't be related to his changes).

add net default: gateway **.**.**.**
 is not a recognized network service.
** Error: The parameters were not valid.

Seems to be similar to the issue being reported for this other utility: https://gitlab.com/openconnect/vpnc-scripts/-/issues/45

I'm not seeing any related code where you look for a network device, however. Any pointers, and I can hack on it?

Not working w/ Fedora 37

just upgraded my Fedora 36 to Fedora 37 et voila'

`
gp-saml-gui -S --gateway --no-verify --clientos=Linux xxx.xxxxxx.it
Traceback (most recent call last):
File "/home/maurizio/.local/bin/gp-saml-gui", line 33, in
sys.exit(load_entry_point('gp-saml-gui==0.1', 'console_scripts', 'gp-saml-gui')())
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/maurizio/.local/bin/gp-saml-gui", line 22, in importlib_load_entry_point
for entry_point in distribution(dist_name).entry_points
^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib64/python3.11/importlib/metadata/init.py", line 964, in distribution
return Distribution.from_name(distribution_name)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib64/python3.11/importlib/metadata/init.py", line 561, in from_name
raise PackageNotFoundError(name)
importlib.metadata.PackageNotFoundError: No package metadata was found for gp-saml-gui

`

Unable to Install on MacOS

OS: MacOS Monterey

I'm trying to install an application that uses GTK, which requires python3 bindings and I'm not able to find a way to install WebKit2. Since I'm using homebrew as a package manager so installing via macports may not be a viable solution. Additionally, I've seen that it hasn't worked for other's using macports as well.

I installed gtk+3 and pygobject which fulfill most of the other dependency requirements, allow me to pip install the script, but I get the following error message when trying to execute it:

raise ValueError('Namespace %s not available' % namespace)
ValueError: Namespace Webkit2 not available

Are there any other ways to install WebKit2 on MacOS?

gp-saml-gui: error: SSL error: [SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled

Hi Dan,

some time ago you helped me to set up gp-saml-gui. Now something has broken and I can't use openconnect any longer.

I have gp-saml-gui set up as follows:

gp-saml-gui --clientos=Windows --sudo-openconnect --gateway vpn-gw.my-host.com -- --csd-wrapper=/usr/lib/openconnect/hipreport.sh

Here's the exact error:

Looking for SAML auth tags in response to vpn-gw.my-host.com/ssl-vpn/prelogin.esp...
usage: gp-saml-gui [-h] [--no-verify] [-C COOKIES | -K] [-g | -p] [-c CERT] [--key KEY] [-v | -q] [-x | -P | -S] [-u] [--clientos {Mac,Linux,Windows}] [-f EXTRA] server [openconnect_extra ...]
gp-saml-gui: error: SSL error: [SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled (_ssl.c:997)

Here's https://vpn-gw.my-host.com/ssl-vpn/prelogin.esp content:

<?xml version="1.0" encoding="UTF-8" ?>
<prelogin-response>
<status>Success</status>
<ccusername></ccusername>
<autosubmit>false</autosubmit>
<msg></msg>
<newmsg></newmsg>
<license>yes</license>
<authentication-message>Wpisz login i hasło</authentication-message>
<username-label>Username</username-label>
<password-label>Password</password-label>
<panos-version>1</panos-version>
<saml-default-browser>yes</saml-default-browser><cas-auth></cas-auth>
<saml-auth-status>0</saml-auth-status>
<saml-auth-method>REDIRECT</saml-auth-method>
<saml-request-timeout>600</saml-request-timeout>
<saml-request-id>0</saml-request-id><saml-request>REMOVED_BY_ME</saml-request><auth-api>no</auth-api><region>PL</region>
</prelogin-response>

I'm using latest OpenConnect for my OS (Arch Linux);

$ openconnect --version
OpenConnect version v9.01
Using GnuTLS 3.7.8. Features present: TPMv2, PKCS#11, RSA software token, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP
Supported protocols: anyconnect (default), nc, gp, pulse, f5, fortinet, array
Default vpnc-script (override with --script): /etc/vpnc/vpnc-script

I'm happy to provide you some more details if needed.
Cheers!

EDIT
There is a workaround: https://stackoverflow.com/a/72245418/2657875

Microsoft SAML contains XML in comment

I get a page that says Login Successful! and inspecting the DOM (if I go to the URL manually) shows roughly:

<html>
  <head></head>
  <body>Login Successful!</body
  <!--
    <saml-auth-status>1</saml-auth-status>
    <prelogin-cookie>REDACTEDBAASE64==</prelogin-cookie>
    <saml-username>READACTEDUSERNAME/saml-username>
    <saml-slo>yes</saml-slo>
    <saml-SessionNotOnOrAfter></saml-SessionNotOnOrAfter>
  -->
</html>

gp-saml-gui doesn't seem to know how to parse this; the browser window is still open waiting for me to do more things, but there is no button to press.

HTTP body length: (0)

Trying to connect to vpn server at unimelb:

WEBKIT_DISABLE_COMPOSITING_MODE=1 gp-saml-gui --allow-insecure-crypto vpn.unimelb.edu.au

Setting WEBKIT_DISABLE_COMPOSITING avoids the bug in #41.

``--allow-insecure-crypto` seems to be required for this VPN. Yuck.

This in turn works and asks me to run the following command:

echo <censored> |
        sudo openconnect --protocol=gp '--useragent=PAN GlobalProtect' --allow-insecure-crypto [email protected] --os=linux-64 --usergroup=portal:prelogin-cookie --passwd-on-stdin vpn.unimelb.edu.au
POST https://vpn.unimelb.edu.au/global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Linux
Connected to 203.5.68.131:443
SSL negotiation with vpn.unimelb.edu.au
Connected to HTTPS on vpn.unimelb.edu.au with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
Enter login credentials
POST https://vpn.unimelb.edu.au/global-protect/getconfig.esp
Portal set HIP report interval to 60 minutes).
1 gateway servers available:
  staff (staff-vpn-gw.unimelb.edu.au)
Please select GlobalProtect gateway.
GATEWAY: [staff]:staff
POST https://staff-vpn-gw.unimelb.edu.au/ssl-vpn/login.esp
Connected to 203.5.68.133:443
SSL negotiation with staff-vpn-gw.unimelb.edu.au
Connected to HTTPS on staff-vpn-gw.unimelb.edu.au with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
Failed to parse server response
Failed to complete authentication

At this stage I am at a bit of a loss to explain what is going on here.

Request: allow pop-ups

Thanks for the really useful script!

I've found I run into issues when using a security key. After entering my username and password, the authentication process brings me to Duo's page, which requires a pop-up when using a security key. However, the current GUI doesn't allow pop-ups.

Would it be possible to allow them? I think the relevant setting here is WebKit2.Settings.props.javascript_can_open_windows_automatically, though I don't know much about WebKit2.

I'm guessing that if pop-ups were allowed, I would next run into issue #26, so maybe this request is moot. The work-around you proposed there (using OTP instead of webauthn) could work.

Here's a screenshot:
Screenshot saying Pop-ups must be enabled for this authentication method.

Microsoft Authentication: SAML Issue

Any idea of what is going on? I login successfully with my credentials, and after I get this error.

Got SAML result headers: {'saml-auth-status': '1'}

Connect to VPN, but cannot ping or access restricted hosts

I had installed gp-saml-gui from AUR and I can connect and make the SAML Auth, but i cannot ping or access restrict hosts, by restrict hosts I mean those wich is supposed to be avaliable from the VPN.

Please, tell me if I need to share some log. I not copy-paste the output of the command here because I am not sure if it is sensible.

Thanks!

gp-saml-gui doesnt works on last palo alto updates (cookie is not in headers)

Hi there: I was using gp-saml-gui to connect to my University Global Protect Vpn site until yesterday.

The behaviour is like this: I run the script

eval $(OPENSSL_CONF=~/ssl.conf gp-saml-gui --gateway --clientos=Windows vpn.mysite.com)

and, I can auth with my Microsoft Authenticator app on mobile and I see: Login succesful!
But after that, nothing happens.

On the console, last message is:

[PAGE   ] Finished loading page https://XXXXXX.es/SAML20/SP/ACS

After a lot of researching, and running gp-saml-gui with -x parameter, If I open the login window with other browser I see that the cookie is embedded on the webpage as a comment, and is not returned on the Http headers. I think that this is the root of the problem:

image

I don't know what is the version running on the Vpn appliance as it depends on other Department, but I know that it was updated since two days ago. Now that I know that this is the problem, when I get the "Login succesful" window I press F12 and I copy the prelogin cookie :-(. Its so slow but it works..

I write this post if anybody has the same problem...

Can't get cert verified

Hi @dlenski,

Python: 3.6.8
OS: Ubuntu 18.04

Got some output below


eval $(./gp-saml-gui.py -v vpn.okta_test.com) 
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 601, in urlopen
    chunked=chunked)
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 346, in _make_request
    self._validate_conn(conn)
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 852, in _validate_conn
    conn.connect()
  File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 326, in connect
    ssl_context=context)
  File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 332, in ssl_wrap_socket
    return context.wrap_socket(sock, server_hostname=server_hostname)
  File "/usr/lib/python3.6/ssl.py", line 407, in wrap_socket
    _context=self, _session=session)
  File "/usr/lib/python3.6/ssl.py", line 817, in __init__
    self.do_handshake()
  File "/usr/lib/python3.6/ssl.py", line 1077, in do_handshake
    self._sslobj.do_handshake()
  File "/usr/lib/python3.6/ssl.py", line 689, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)

During handling of the above exception, another exception occurred:

By adding -no-verify I got Unacceptable TLS certificate on the GUI.

Failed to obtain WebVPN cookie

Hi,

I am having basically the exact same issue like here: #6

Problem is, the solution from that thread doesn't work for me.

Where can I find the second cookie and how exactly am I supposed to use it? Where to input it?

Output of what-vpn is

PAN GlobalProtect (portal+portal wants SAML REDIRECT)

Commands I issue that got me the furthest are:

Command 1:
eval $( gp-saml-gui --portal --clientos=Windows gp-portal.companyserver.com)
Output:

Looking for SAML auth tags in response to https://gp-portal.companyserver.com/global-protect/prelogin.esp...
Got SAML REDIRECT, opening browser...
[PAGE   ] Finished loading page ##Censored URL
[PAGE   ] Finished loading page https://login.microsoftonline.com/92e84ceb-fbfd-47ab-be52-080c6b87953f/login
[PAGE   ] Finished loading page https://login.microsoftonline.com/common/SAS/ProcessAuth
[PAGE   ] Finished loading page https://gp-portal.companyserver.com/SAML20/SP/ACS
[SAML   ] Got SAML result headers: {'saml-username': 'myusername', 'prelogin-cookie': 'oBw1XGMBSt/LwN5DgZ9hGulhd5o8A4Y3DT1E8f8/dbiqpQ5+xoZKy7RMtVDN+h7P', 'saml-slo': 'no', 'saml-auth-status': '1'}
[SAML   ] Got all required SAML headers, done.
IMPORTANT: We started with SAML auth to the portal interface, but received a cookie that's often associated with the gateway interface. You should probably try both.


SAML response converted to OpenConnect command line invocation:

    echo oBw1XGMBSt/LwN5DgZ9hGulhd5o8A4Y3DT1E8f8/dbiqpQ5+xoZKy7RMtVDN+h7P |
        sudo openconnect --protocol=gp '--useragent=PAN GlobalProtect' --user=myusername --os=win --usergroup=portal:prelogin-cookie --passwd-on-stdin gp-portal.companyserver.com

SAML response converted to test-globalprotect-login.py invocation:

    test-globalprotect-login.py --user=myusername --clientos=Windows -p '' \
         https://gp-portal.companyserver.com/global-protect/getconfig.esp prelogin-cookie=oBw1XGMBSt/LwN5DgZ9hGulhd5o8A4Y3DT1E8f8/dbiqpQ5+xoZKy7RMtVDN+h7P

Command 2:

openconnect -vvv --protocol=gp '--useragent=PAN GlobalProtect' --user=myusername --os=win --usergroup=portal:prelogin-cookie --passwd-on-stdin gp-portal.companyserver.com
oBw1XGMBSt/LwN5DgZ9hGulhd5o8A4Y3DT1E8f8/dbiqpQ5+xoZKy7RMtVDN+h7P ##Cookie on line 2

Output 2:

POST https://gp-portal.companyserver.com/global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Windows
Attempting to connect to server 1.2.3.4:443 ##Dummy IP, had to censor.
Connected to 1.2.3.4:443 ##Dummy IP, had to censor.
SSL negotiation with gp-portal.companyserver.com
Connected to HTTPS on gp-portal.companyserver.com
Got HTTP response: HTTP/1.1 200 OK
Date: Mon, 24 Oct 2022 12:27:30 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 1518
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-FRAME-OPTIONS: DENY
Set-Cookie: PHPSESSID=704bc0af7c423ec0110f6edcccb40e49; secure; HttpOnly
Set-Cookie: PHPSESSID=704bc0af7c423ec0110f6edcccb40e49; secure; HttpOnly
Set-Cookie: PHPSESSID=704bc0af7c423ec0110f6edcccb40e49; secure; HttpOnly
Set-Cookie: PHPSESSID=704bc0af7c423ec0110f6edcccb40e49; secure; HttpOnly
Set-Cookie: PHPSESSID=704bc0af7c423ec0110f6edcccb40e49; secure; HttpOnly
Set-Cookie: PHPSESSID=704bc0af7c423ec0110f6edcccb40e49; secure; HttpOnly
Set-Cookie: PHPSESSID=704bc0af7c423ec0110f6edcccb40e49; secure; HttpOnly
Set-Cookie: PHPSESSID=704bc0af7c423ec0110f6edcccb40e49; secure; HttpOnly
Set-Cookie: PHPSESSID=704bc0af7c423ec0110f6edcccb40e49; secure; HttpOnly
Set-Cookie: PHPSESSID=704bc0af7c423ec0110f6edcccb40e49; secure; HttpOnly
Set-Cookie: PHPSESSID=704bc0af7c423ec0110f6edcccb40e49; secure; HttpOnly
Set-Cookie: PHPSESSID=704bc0af7c423ec0110f6edcccb40e49; path=/; secure; httponly
Set-Cookie: PHPSESSID=704bc0af7c423ec0110f6edcccb40e49; secure; HttpOnly
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
HTTP body length:  (1518)
Login form: "Username: " user(TEXT)=(null), "prelogin-cookie: " prelogin-cookie(PASSWORD)
SAML login is required via REDIRECT to this URL:
	##Removed URL for privacy purposes.
Enter login credentials
POST https://gp-portal.companyserver.com/global-protect/getconfig.esp
Got HTTP response: HTTP/1.1 200 OK
Date: Mon, 24 Oct 2022 12:27:30 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 36230
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-FRAME-OPTIONS: DENY
Set-Cookie: PHPSESSID=227b0d1bfae458f97d24350e7d19e909; path=/; secure; HttpOnly
Set-Cookie: PHPSESSID=227b0d1bfae458f97d24350e7d19e909; path=/; secure; HttpOnly
Set-Cookie: PHPSESSID=227b0d1bfae458f97d24350e7d19e909; path=/; secure; HttpOnly
Set-Cookie: PHPSESSID=227b0d1bfae458f97d24350e7d19e909; path=/; secure; HttpOnly
Set-Cookie: PHPSESSID=227b0d1bfae458f97d24350e7d19e909; path=/; secure; HttpOnly
Set-Cookie: PHPSESSID=227b0d1bfae458f97d24350e7d19e909; path=/; secure; HttpOnly
Set-Cookie: PHPSESSID=227b0d1bfae458f97d24350e7d19e909; path=/; secure; HttpOnly
Set-Cookie: PHPSESSID=227b0d1bfae458f97d24350e7d19e909; path=/; secure; HttpOnly
Set-Cookie: PHPSESSID=227b0d1bfae458f97d24350e7d19e909; path=/; secure; HttpOnly
Set-Cookie: PHPSESSID=227b0d1bfae458f97d24350e7d19e909; path=/; secure; HttpOnly
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
HTTP body length:  (36230)
4 gateway servers available:
  Germany - Frankfurt (frankfurt-gp-companyserver.com)
  Great Britain - London (london-gp-companyserver.com)
  Spain - Madrid  (madrid-gp-companyserver.com)
  Sweden - Stockholm (stockholm-gp-companyserver.com)
Please select GlobalProtect gateway.
GATEWAY: [Germany - Frankfurt|Great Britain - London|Spain - Madrid|Sweden - Stockholm]:Great Britain - London ##I just paste the gateway here
POST https://london-gp-companyserver.com/ssl-vpn/login.esp
Attempting to connect to server 4.3.2.1:443 ##Gateway IP, censored
Connected to 4.3.2.1:443 ##Gateway IP, censored
SSL negotiation with london-gp-companyserver.com
Connected to HTTPS on london-gp-companyserver.com
Got HTTP response: HTTP/1.1 200 OK
Date: Mon, 24 Oct 2022 12:27:44 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 128
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-FRAME-OPTIONS: DENY
Set-Cookie: PHPSESSID=184f2f5f1170699f62195f44abda3714; secure; HttpOnly
Set-Cookie: PHPSESSID=184f2f5f1170699f62195f44abda3714; secure; HttpOnly
Set-Cookie: PHPSESSID=184f2f5f1170699f62195f44abda3714; secure; HttpOnly
Set-Cookie: PHPSESSID=184f2f5f1170699f62195f44abda3714; secure; HttpOnly
Set-Cookie: PHPSESSID=184f2f5f1170699f62195f44abda3714; secure; HttpOnly
Set-Cookie: PHPSESSID=184f2f5f1170699f62195f44abda3714; secure; HttpOnly
Set-Cookie: PHPSESSID=184f2f5f1170699f62195f44abda3714; secure; HttpOnly
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
HTTP body length:  (128)
Authentication failure: Invalid username or password
Failed to obtain WebVPN cookie

Thank you!

Popup blocked for Okta-Duo-FIDO login with yubikey security key

I have been using gp-saml-gui on Fedora Linux in an enterprise deployment that uses Okta which in turn uses Duo for MFA. I have succeded using the usual Duo push to the Duo mobile app.

However, the flow using a Yubikey security key does not seem to work. The Duo widget shows the enrolled security key, but stalls when trying to use it. The key's LED flashes once, briefly, on insertion which I think it does whether a browser is looking for a key or not. It never gets to the part where the key LED blinks and I am supposed to touch the button to confirm my presence.

The same Okta+Duo+Yubikey account flow works when logging into other apps such as GSuite in a regular Firefox session in the same laptop. This makes me think it is the webkit browser that is the difference, but I am having trouble figuring out the status of related work in the webkit issue tracker. It seems like a lot of FIDO/CTAP/webauthn work has been done in prior years, but I cannot tell whether this is something that ought to work yet in this scenario.

Note, this is testing with the consumer-focused "Yubikey security key" which does FIDO/FIDO2 only, without any writable storage.

AttributeError: 'NoneType' object has no attribute 'get_content_type'

I am using gp-saml-gui to log into a Duo SAML VPN. The authentication succeeds and I can connect to the VPN, but I receive an error during the authentication. I'm not sure what this error does or what it means, because everything seems to be working correctly despite the error.

Here's the standard output in my command line, server name and directory anonymized of course, and gp-saml-gui run with --verbose option:

Looking for SAML auth tags in response to https://vpn.example.com/ssl-vpn/prelogin.esp...
Got SAML POST, opening browser...
[REQUEST] Request for resource about:blank
Traceback (most recent call last):
  File "/path/to/venv-gp-saml-gui/lib/python3.10/site-packages/gp_saml_gui.py", line 127, in on_load_changed
    ct = h.get_content_type()
AttributeError: 'NoneType' object has no attribute 'get_content_type'

I have gp-saml-gui installed in a Python virtual environment.
Command line arguments are:
--allow-insecure-crypto --clientos=Windows -v --gateway vpn.example.com

Remove "https://" and "/gateway:prelogin-cookie" from HOST variable

The README.md shows:

SAML response converted to OpenConnect command line invocation:

    echo 'blahblahblah' |
        openconnect --protocol=gp --user='[email protected]' --os=win --usergroup=prelogin-cookie:gateway --passwd-on-stdin vpn.company.com

$ echo $HOST; echo $USER; echo $COOKIE; echo $OS
https://vpn.company.com/gateway:prelogin-cookie
[email protected]
blahblahblah
win

$ echo "$COOKIE" | openconnect --protocol=gp -u "$USER" --os="$OS" --passwd-on-stdin "$HOST"

Notice that the first shown openconnect invocation uses vpn.company.com as the host.

Yet the second invocation uses the $HOST variable which has a different value: https://vpn.company.com/gateway:prelogin-cookie

Recently the "https://" and "/gateway:prelogin-cookie" parts caused my vpn connection script to fail. It was working for many months but then started failing with Failed to parse server response. Failed to complete authentication" error.

In my case, the HOST variable is set to https://vpn.example.edu/ssl-vpn/login.esp:prelogin-cookie.

I fixed my script by changing it from:

#!/bin/bash

eval $(./gp_saml_gui.py -v --gateway --clientos=Linux vpn.example.edu)
echo "$COOKIE" \
  | sudo openconnect --protocol=gp -u "$USER" --usergroup=gateway:prelogin-cookie --os="$OS" --passwd-on-stdin "$HOST"

to:

#!/bin/bash

eval $(./gp_saml_gui.py -v --gateway --clientos=Linux vpn.example.edu)
: "${HOST#*//}"          # Chop off https:// from the beginning. Result will be in $_ variable
ADJUSTED_HOST=${_%%/*}   # Chop off path from the end
echo "$COOKIE" \
  | sudo openconnect --protocol=gp -u "$USER" --usergroup=gateway:prelogin-cookie --os="$OS" --passwd-on-stdin "$ADJUSTED_HOST"

So, I'm wondering if the HOST variable shouldn't have the "https://" and "/gateway:prelogin-cookie" parts.

Unacceptable TLS certificate

Hi Daniel,

As of today, after signing in with 2FA I'm left with a window that says Unacceptable TLS certificate. I then close that window and gp-saml-gui terminates. Everything worked fine Friday last week. I guess that they've made some changes over the weekend.

Looking for SAML auth tags in response to https://vpn.company.com/ssl-vpn/prelogin.esp...
Got SAML POST, opening browser...
[PAGE   ] Finished loading page about:blank
[PAGE   ] Finished loading page https://xxx.okta.com/app/panw_globalprotect/exkmuy9k5dT1PXpfd0x7/sso/saml
[PAGE   ] Finished loading page https://xxx.okta.com/login/sessionCookieRedirect
[PAGE   ] Finished loading page https://xxx.okta.com/login/sessionCookieRedirect

(process:12775): GLib-GIO-CRITICAL **: g_tls_connection_get_peer_certificate_errors: assertion 'G_IS_TLS_CONNECTION (conn)' failed
Traceback (most recent call last):
  File "/path/to/gp-saml-gui/gp-saml-gui.py", line 103, in get_saml_headers
    h = rs.get_http_headers()
AttributeError: 'NoneType' object has no attribute 'get_http_headers'
[PAGE   ] Finished loading page about:blank
Login window closed by user.

Any ideas?

Thanks,
Hamish

gi vs pgi On Ubuntu 19.04

Using python3 (3.7.7) on Ubuntu 19.04 the system was unable to find the gi package even after install python3-gi.

I was able to get the script working by installing pgi via pip3 install pgi and making the following changes:

 #!/usr/bin/env python3
 
-import gi
+import pgi
 import argparse
 import pprint
 import urllib
@@ -15,9 +15,9 @@ from sys import stderr, platform
 from binascii import a2b_base64, b2a_base64
 from urllib.parse import urlparse, urlencode
 
-gi.require_version('Gtk', '3.0')
-gi.require_version('WebKit2', '4.0')
-from gi.repository import Gtk, WebKit2, GLib
+pgi.require_version('Gtk', '3.0')
+pgi.require_version('WebKit2', '4.0')
+from pgi.repository import Gtk, WebKit2, GLib

As a more permanent fix, how would we feel about aliasing pgi as gi if the pgi package is installed? If pgi is not present then attempt to import gi?

Unable to install, fixed with more apt installs (maybe update readme?)

Using python 3.8.5 in pyenv on pop-os 20.10 (ubuntu 20.10).
I installed the apt packages specified, set my local python to 3.8.5, then did the following:

ron@pop-os:~$ pip3 install https://github.com/dlenski/gp-saml-gui/archive/master.zip
Collecting https://github.com/dlenski/gp-saml-gui/archive/master.zip
  Using cached https://github.com/dlenski/gp-saml-gui/archive/master.zip
Collecting requests
  Using cached requests-2.25.1-py2.py3-none-any.whl (61 kB)
Collecting pygobject
  Using cached PyGObject-3.40.1.tar.gz (714 kB)
  Installing build dependencies ... error
  ERROR: Command errored out with exit status 1:
   command: /home/ron/.pyenv/versions/3.8.5/bin/python3.8 /home/ron/.pyenv/versions/3.8.5/lib/python3.8/site-packages/pip install --ignore-installed --no-user --prefix /tmp/pip-build-env-07viv83v/overlay --no-warn-script-location --no-binary :none: --only-binary :none: -i https://pypi.org/simple -- setuptools wheel pycairo
       cwd: None
  Complete output (40 lines):
  Collecting setuptools
    Using cached setuptools-56.0.0-py3-none-any.whl (784 kB)
  Collecting wheel
    Using cached wheel-0.36.2-py2.py3-none-any.whl (35 kB)
  Collecting pycairo
    Using cached pycairo-1.20.0.tar.gz (344 kB)
    Installing build dependencies: started
    Installing build dependencies: finished with status 'done'
    Getting requirements to build wheel: started
    Getting requirements to build wheel: finished with status 'done'
      Preparing wheel metadata: started
      Preparing wheel metadata: finished with status 'done'
  Building wheels for collected packages: pycairo
    Building wheel for pycairo (PEP 517): started
    Building wheel for pycairo (PEP 517): finished with status 'error'
    ERROR: Command errored out with exit status 1:
     command: /home/ron/.pyenv/versions/3.8.5/bin/python3.8 /home/ron/.pyenv/versions/3.8.5/lib/python3.8/site-packages/pip/_vendor/pep517/_in_process.py build_wheel /tmp/tmpataepmrk
         cwd: /tmp/pip-install-tse1150j/pycairo
    Complete output (15 lines):
    running bdist_wheel
    running build
    running build_py
    creating build
    creating build/lib.linux-x86_64-3.8
    creating build/lib.linux-x86_64-3.8/cairo
    copying cairo/__init__.py -> build/lib.linux-x86_64-3.8/cairo
    copying cairo/__init__.pyi -> build/lib.linux-x86_64-3.8/cairo
    copying cairo/py.typed -> build/lib.linux-x86_64-3.8/cairo
    running build_ext
    Package cairo was not found in the pkg-config search path.
    Perhaps you should add the directory containing `cairo.pc'
    to the PKG_CONFIG_PATH environment variable
    Package 'cairo', required by 'virtual:world', not found
    Command '['pkg-config', '--print-errors', '--exists', 'cairo >= 1.15.10']' returned non-zero exit status 1.
    ----------------------------------------
    ERROR: Failed building wheel for pycairo
  Failed to build pycairo
  ERROR: Could not build wheels for pycairo which use PEP 517 and cannot be installed directly
  WARNING: You are using pip version 20.1.1; however, version 21.0.1 is available.
  You should consider upgrading via the '/home/ron/.pyenv/versions/3.8.5/bin/python3.8 -m pip install --upgrade pip' command.
  ----------------------------------------
ERROR: Command errored out with exit status 1: /home/ron/.pyenv/versions/3.8.5/bin/python3.8 /home/ron/.pyenv/versions/3.8.5/lib/python3.8/site-packages/pip install --ignore-installed --no-user --prefix /tmp/pip-build-env-07viv83v/overlay --no-warn-script-location --no-binary :none: --only-binary :none: -i https://pypi.org/simple -- setuptools wheel pycairo Check the logs for full command output.
WARNING: You are using pip version 20.1.1; however, version 21.0.1 is available.
You should consider upgrading via the '/home/ron/.pyenv/versions/3.8.5/bin/python3.8 -m pip install --upgrade pip' command.

Seemed like I was missing libraries. So I installed these (over a few iterations, some may not be needed):

sudo apt install libcairo2-dev pkg-config python3-dev cairo-5c libcairo-5c-dev libcairo-gobject2 python3-cairocffi libgirepository1.0-dev

And now I get the package to install.

GP gateway expects client certificate, but gp_saml_gui.py "-c" option does not pass it to openconnect

Hi Dan, first of all thanks for the gp-saml-gui tool, which works for me to establish a VPN connection via a GlobalProtect gateway after an SAML authentication detour through login.microsoftonline.com.

But I had to apply a minor modification, as gp_saml_gui.py seems to use client certificates supplied with the -c option only for the TLS connections that it establishes itself - it does not pass the certificate to openconnect via openconnect's -c option:

+++ b/gp_saml_gui.py
@@ -336,6 +337,10 @@ def main(args = None):
     if args.user_agent:
         openconnect_args.insert(1, "--useragent="+args.user_agent)
 
+    if args.cert is not None:
+        openconnect_args.insert(1, args.cert[0])
+        openconnect_args.insert(1, "-c")
+
     openconnect_command = '''    echo {} |\n        sudo openconnect {}'''.format(
         quote(cv), " ".join(map(quote, openconnect_args)))

Above change may not be as generic as one might want it to be, but it worked for my case where the GP gateway expects me to present a valid client certificate.

BTW: While debugging this, I noticed that the output of print('''Launching OpenConnect with {}, equivalent to:\n{}''' ... is somewhat misleading when the openconnect conversation with the GP gateway expects some input from standard-in - using --passwd-on-stdin along with piped input the way suggested by the printed command line does not work then - while the direct invocation of openconnect by the gp_saml_gui.py script works just fine.

SAML login via gateway and Microsoft Azure doesn't work with this script

Hey,
i'm trying to connect to our work-VPN (PAN GlobalProtect), but i'm getting the following error:

> eval $( ./gp-saml-gui.py -v remote.company.com --external -vvv )
Looking for SAML auth tags in response to https://remote.company.com/ssl-vpn/prelogin.esp...
usage: gp-saml-gui.py [-h] [--no-verify] [-C COOKIES | -K] [-p | -g] [-c CERT]
                      [--key KEY] [-v] [-x] [-u]
                      server [extra [extra ...]]
gp-saml-gui.py: error: This does not appear to be a SAML prelogin response (<saml-auth-method> or <saml-request> tags missing)

Your other tool (what-vpn) gives me the following information (ran it three times, and gave me three different(?) responses):

> what-vpn remote.company.com
remote.company.com: PAN GlobalProtect (gateway+portal+SAML REDIRECT)
> what-vpn remote.company.com
remote.company.com: PAN GlobalProtect (SAML REDIRECT+gateway+portal)
> what-vpn remote.company.com
remote.company.com: PAN GlobalProtect (portal+SAML REDIRECT+gateway)

Do you have any idea why i'm getting that mesasge?

Thanks

blank login window with webkit-gtk-2.36.x

After upgrade to webkit-gtk-2.36.x login page is blank. Thus, not possible to enter credentials and proceed with login.

Downgrade to 2.34.x fixes the problem.

Distro: Gentoo

Error performing TLS handshake

Looks like our vpn gateways were updated and now UI pop-up throws Error performing TLS handshake: The Diffie-Hellman prime sent by the server is not acceptable (not long enough). while the log throws (process:25926): libsoup-WARNING **: 18:53:45.235: gssapi step failed: Unspecified GSS failure. Minor code may provide more information: SPNEGO cannot find mechanisms to negotiate Traceback (most recent call last): File "./gp_saml_gui.py", line 108, in get_saml_headers h = rs.get_http_headers() AttributeError: 'NoneType' object has no attribute 'get_http_headers'

Do you have any idea how to fix it? I looked to openconnect directly but didn't found tls/ciphers options

SSL certificate error with 4096-bit certificates

Hi Daniel,

I recently started getting the SSL certificate error "unable to get local issuer certificate". I'm told that the old 2048-bit certificates were renewed as 4096-bit certificates. Could the change of encryption be causing this problem?

Thanks,
Hamish

connection-type=notunnel (expected tunnel)

Hello,

I am trying to connect to a GlobalProtect gateway with SAML authentication from my Fedora 34 workstation (all our other laptops are running Windows).
The SAML authentication seems to work fine and the cookie is extracted, but the openconnect commands fails with the error Failed to obtain WebVPN cookie.

$ openconnect --version
OpenConnect version v8.10-6.fc34
Using GnuTLS 3.7.2. Features present: TPM, TPMv2, PKCS#11, RSA software token, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP
Supported protocols: anyconnect (default), nc, gp, pulse
  1. SAML authentication (redacted GATEWAY and USERNAME)
$ eval $( gp-saml-gui --gateway --clientos=Windows GATEWAY )
Looking for SAML auth tags in response to https://GATEWAY/ssl-vpn/prelogin.esp...
Got SAML REDIRECT, opening browser...
[PAGE   ] Finished loading page https://login.microsoftonline.com/9a839770-e9fc-4737-905c-370f65b0e224/saml2?SAMLRequest=lZJNb8IwDIb%2FSpV7m5CmXxGt1MFhSEyraLfDLlMIKURqEpakEz9%2FFDaNXZB2tPz6sf3ac8fUcKT16A96Iz5G4XxwUoN29JIowWg1NcxJRzVTwlHPaVs%2FrSmOED1a4w03Awhq54T10uiF0W5UwrbCfkouXjbrEhy8PzoK4X4wWzZMRYL7UJ0iNVpxirhRlJAYTliMYNvAetGCYHkeRWo2QX8Rg9lLHSnJrXGm90YPUouJAAuWx0WWoVAUPQ9JFmdhgRIexhnq02SLBMYETjthEKyWJXhHSb5LUpEmeZb2MUkTMuvzHedpkWaEZf1Z5twoVtp5pn0JMMKzEBUhJt0MUTyjCXkDQfNtwYPUO6n39%2F3aXkWOPnZdEzbPbQeCV2HdZcWzAFTzaUJ6aWxv7nAfy37MB9V%2FrZ7Dm4bVNfr7DdUX&RelayState=PskUAEXKg2A1MzcyNDliNWVhZjVhMTM4Yzc4YmMzMmJlZTY0OTA2NQ%3D%3D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=eyPQIuYoBry%2BEaRRfg9%2FQynmUWFyGstKL6pUFjNWB2dOStn%2Bk%2FXsobcaE%2Ffuv%2FCCqRkJaw%2FWVtIpzFBV%2BnuPzFdMmWa9B6DSS5unET%2Fu2Uda5xStkuGSVkvgfMKGqxpaYiT0cq7DL3nyTZsUvCC5xgPr42LNbxE%2FVm5PNsK74QxaqhsamNjukLh0RwdZ4JPWvPx4FrdSKU9md5rwuq%2BDb8u2iPjJPPCGCS0gHcNkS8bpvD5GapP5YhQ2sreq6DROF%2BZUvUP4oZQ5ro8xwVk%2BdWd1oC6PGm9KIqYm8bleWgXqZ%2Flb3Iwf8RFO4iKl7G0yaO03oxHdRi88MwKTYk0fDg%3D%3D

(process:91394): libsoup-WARNING **: 13:22:08.196: gssapi step failed: No credentials were supplied, or the credentials were unavailable or inaccessible: SPNEGO cannot find mechanisms to negotiate
[PAGE   ] Finished loading page https://login.microsoftonline.com/9a839770-e9fc-4737-905c-370f65b0e224/login
[PAGE   ] Finished loading page https://GATEWAY/SAML20/SP/ACS
[SAML   ] Got SAML result headers: {'saml-username': 'USERNAME', 'prelogin-cookie': '/JuUOCCnHwIXYYcRVLMpjakokE67Q2dF5VTNblR7p0wDHV0BBgE43UZ5Z8Y0zNbe', 'saml-slo': 'no', 'saml-auth-status': '1'}
[SAML   ] Got all required SAML headers, done.

SAML response converted to OpenConnect command line invocation:

    echo /JuUOCCnHwIXYYcRVLMpjakokE67Q2dF5VTNblR7p0wDHV0BBgE43UZ5Z8Y0zNbe |
        sudo openconnect --protocol=gp --user=USERNAME --os=win --usergroup=gateway:prelogin-cookie --passwd-on-stdin GATEWAY

SAML response converted to test-globalprotect-login.py invocation:

    test-globalprotect-login.py --user=USERNAME --clientos=Windows -p '' \
         https://GATEWAY/ssl-vpn/login.esp prelogin-cookie=/JuUOCCnHwIXYYcRVLMpjakokE67Q2dF5VTNblR7p0wDHV0BBgE43UZ5Z8Y0zNbe
  1. Issuing openconnect command (redacted GATEWAY)
$ echo /JuUOCCnHwIXYYcRVLMpjakokE67Q2dF5VTNblR7p0wDHV0BBgE43UZ5Z8Y0zNbe |
        sudo openconnect --protocol=gp --user=USERNAME --os=win --usergroup=gateway:prelogin-cookie --passwd-on-stdin GATEWAY
POST https://GATEWAY/ssl-vpn/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Windows
Connected to 10.29.255.65:443
SSL negotiation with GATEWAY
Connected to HTTPS on GATEWAY with ciphersuite (TLS1.2)-(RSA)-(AES-256-GCM)
Enter login credentials
POST https://GATEWAY/ssl-vpn/login.esp
GlobalProtect login returned authentication-source=COMPANY.COM_AZURE-SAML_Auth-Prof
GlobalProtect login returned connection-type=notunnel (expected tunnel)
GlobalProtect login returned usually-equals-4=4
GlobalProtect login returned usually-equals-unknown=unknown
Please report 1 unexpected values above (of which 1 fatal) to <[email protected]>
Failed to obtain WebVPN cookie

Do you know what could be the issue or how I could get some more logs?

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.