Re: openconnect with SAML and GlobalProtect
On Fri, May 22, 2020 at 1:00 AM David Woodhouse wrote: > On Thu, 2020-05-21 at 16:32 -0400, Michel van der List wrote: > > > If *that* doesn't work, try building with @yuezk's recent patch > > > (https://gitlab.com/openconnect/openconnect/-/merge_requests/109), > > > which will let you authenticate to the portal and then pass whatever > > > cookies it gets through to the gateway. This appears to work on *some > > > GP servers* with SAML, but not others. > > > > OK, that will take a bit. I was just using the 'bog standard' Fedora > > delivered openconnect :-). > > If I merge that MR, it'll show up in the COPR at > https://copr.fedorainfracloud.org/coprs/dwmw2/openconnect/ > > I've been waiting for less mixed signals like "doesn't work for all > cases" from Dan... :) !109 is incomplete in terms of handling all the myriad ways in which a portal *could* hand off cookies to a gateway. https://gitlab.com/dlenski/openconnect/commits/gp_auth_fixes appears to be working better, per https://gitlab.com/openconnect/openconnect/-/issues/147#note_347547783 In terms of fixing this once-and-for-all, I'm at the mercy of the fact that there appear to be a gazillion ways the portal-to-gateway handoff *can* be configured, and I don't have access to any VPNs that use the ones where it really matters (only way to login is via SAML to portal, then cookie handoff to gateway), no one who administers these VPNs understands how this works, and most of the users who figure out how to make it work for *their* VPN don't stick around long enough to help me collect reliable data for solving the problem in general. -Dan ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: openconnect with SAML and GlobalProtect
Confession time. mea culpa mea culpa mea culpa > OK, so I now did my SAML dance and got the cookie from the SAML > response from the VPN (i.e. ). I then > did (I tried both that cookie and the preauth-cookie): Blah Blah. Irrelevant stuff! So, I couldn't figure out why my code that did exactly what the example gp-saml-gui code did would not work. Except, my code did not exactly the same (duuh). I started working on this using the global-protect/pre-login.esp URL, just to get the whole SAML dance done. Of course, after you figure that out, it *really* helps if you actually use the *ssl-vpn*/pre-login.esp if you try to start a VPN. My sincere apologies to this mailing list for wasting valuable time. Michel ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: openconnect with SAML and GlobalProtect
On Thu, 2020-05-21 at 16:32 -0400, Michel van der List wrote: > > If *that* doesn't work, try building with @yuezk's recent patch > > (https://gitlab.com/openconnect/openconnect/-/merge_requests/109), > > which will let you authenticate to the portal and then pass whatever > > cookies it gets through to the gateway. This appears to work on *some > > GP servers* with SAML, but not others. > > OK, that will take a bit. I was just using the 'bog standard' Fedora > delivered openconnect :-). If I merge that MR, it'll show up in the COPR at https://copr.fedorainfracloud.org/coprs/dwmw2/openconnect/ I've been waiting for less mixed signals like "doesn't work for all cases" from Dan... :) smime.p7s Description: S/MIME cryptographic signature ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: openconnect with SAML and GlobalProtect
> You may need to try --usergroup=gateway:prelogin-cookie instead of > portal in the last step. (I noticed that you tried > --usergroup=prelogin-cookie:gateway, which is backwards, so that > definitely won't work.) OK, so I now did my SAML dance and got the cookie from the SAML response from the VPN (i.e. ). I then did (I tried both that cookie and the perauth-cookie): # echo "$cookie" | \ sudo openconnect --verbose --passwd-on-stdin --protocol=gp \ --usergroup=gateway:prelogin-cookie --user=j...@example.com vpn.example.com POST https://vpn.example.com/ssl-vpn/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Linux Attempting to connect to server 1.2.3.251:443 Connected to 1.2.3.251:443 SSL negotiation with vpn.example.com Connected to HTTPS on vpn.example.com with ciphersuite (TLS1.2)-(RSA)-(AES-256-GCM) Got HTTP response: HTTP/1.1 200 OK Date: Thu, 21 May 2020 20:16:40 GMT Content-Type: application/xml; charset=UTF-8 Content-Length: 1909 Connection: keep-alive ETag: "e185e9a5382" Pragma: no-cache Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 19 Nov 1981 08:52:00 GMT X-FRAME-OPTIONS: DENY Set-Cookie: CLIENTOS=TGludXg%3D; expires=Fri, 22-May-2020 20:16:40 GMT; path=/ Set-Cookie: PHPSESSID=fd242eddc8c24b4998fa84453ba87586; secure; HttpOnly Set-Cookie: PHPSESSID=fd242eddc8c24b4998fa84453ba87586; secure; HttpOnly Set-Cookie: PHPSESSID=fd242eddc8c24b4998fa84453ba87586; secure; HttpOnly Set-Cookie: PHPSESSID=fd242eddc8c24b4998fa84453ba87586; secure; HttpOnly Set-Cookie: PHPSESSID=fd242eddc8c24b4998fa84453ba87586; secure; HttpOnly Set-Cookie: PHPSESSID=fd242eddc8c24b4998fa84453ba87586; secure; HttpOnly Set-Cookie: PHPSESSID=fd242eddc8c24b4998fa84453ba87586; secure; HttpOnly Strict-Transport-Security: max-age=31536000; X-XSS-Protection: 1; mode=block; X-Content-Type-Options: nosniff Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline'; HTTP body length: (1909) Destination form field POST was specified; assuming SAML prelogin-cookie authentication is complete. Enter login credentials POST https://vpn.example.com/ssl-vpn/login.esp Got HTTP response: HTTP/1.1 512 Custom error Date: Thu, 21 May 2020 20:16:40 GMT Content-Type: text/html Content-Length: 128 Connection: keep-alive ETag: "23605e9a5382" Pragma: no-cache Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 x-private-pan-sslvpn: auth-failed x-private-pan-sslvpn-extension: auth-failed-password-empty Expires: Thu, 19 Nov 1981 08:52:00 GMT X-FRAME-OPTIONS: DENY Set-Cookie: PHPSESSID=fd242eddc8c24b4998fa84453ba87586; secure; HttpOnly Set-Cookie: PHPSESSID=fd242eddc8c24b4998fa84453ba87586; secure; HttpOnly HTTP body length: (128) Unexpected 512 result from server Enter login credentials Username: fgets (stdin): Resource temporarily unavailable > If *that* doesn't work, try building with @yuezk's recent patch > (https://gitlab.com/openconnect/openconnect/-/merge_requests/109), > which will let you authenticate to the portal and then pass whatever > cookies it gets through to the gateway. This appears to work on *some > GP servers* with SAML, but not others. OK, that will take a bit. I was just using the 'bog standard' Fedora delivered openconnect :-). > Bottom line is that I believe we fully understand how to inject the > SAML cookies into the gateway if the *gateway* does SAML, but we don't > fully understand how to do SAML authentication to the portal and then > get the portal to pass the cookies to the gateway, if you have to do > the SAML authentication to the portal. I can circle back to the gp-saml-gui code as well, now that I have a better handle on the SAML dance. Thanks a ton for all the help so far, Michel ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: openconnect with SAML and GlobalProtect
> OK, I'll take another look at the gp-saml-gui code to see how it performs > that last step, or uses the script. I see. Sorry, I missed that you had already tried gp-saml-gui (🤦♂️). You may need to try --usergroup=gateway:prelogin-cookie instead of portal in the last step. (I noticed that you tried --usergroup=prelogin-cookie:gateway, which is backwards, so that definitely won't work.) If *that* doesn't work, try building with @yuezk's recent patch (https://gitlab.com/openconnect/openconnect/-/merge_requests/109), which will let you authenticate to the portal and then pass whatever cookies it gets through to the gateway. This appears to work on *some GP servers* with SAML, but not others. Bottom line is that I believe we fully understand how to inject the SAML cookies into the gateway if the *gateway* does SAML, but we don't fully understand how to do SAML authentication to the portal and then get the portal to pass the cookies to the gateway, if you have to do the SAML authentication to the portal. On Thu, May 21, 2020 at 12:53 PM Michel van der List wrote: > > (Grumble. Thunderbird really doesn't like plain text, my apologies if this > comes out poorly). > > I guess I really just figured since I did the login dance already, I just > need to coerce openconnect (somehow) with the data in that XML file. > > Perhaps I did not make this very clear in the original post, I actually > have this automated with some silly python and zenity, so I was hoping the > last step would just be 'run openconnect passing this XML/data/whatever'. > > OK, I'll take another look at the gp-saml-gui code to see how it performs > that last step, or uses the script. > > Thanks, Michel > > On 5/21/20 3:05 PM, Daniel Lenski wrote: > > Michel wrote: > >> - Go to https://vpn.example.com/global-protect/getconfig.esp, passing > >> in the user=j...@example.com and prelogin-cookie=C4xyzzyxyzzy... > >> which gives me a big XML file, which includes towards the end > >> > ABCAverylargestringindeed= > >> empty > >> XyzzYAShorterstring== > > > > Quite honestly, count me as impressed that you managed to do the whole > > SAML authentication "by hand." (It's a confusing pain, isn't it?) > > > > Since you clearly know what you're doing here more than most users who > > attempt it, hopefully you'll be able to give us some insightful > > feedback on what does/doesn't work in the scripts that automate this… > > :-D > > > >> But now I'm stuck. What magic incarnation of the openconnect command > line do I use now? > > > > OpenConnect doesn't (yet) have the ability to handle the SAML > > authentication by itself, so you need a helper script. > > > > I'm partial to https://github.com/dlenski/gp-saml-gui/ because (a) it > > can log what it's doing in a way that makes sense to the OpenConnect > > developers and (b) it uses the same output format as `openconnect > > --authenticate`, and (c) I wrote it, whence (a). > > > > There are several more GUI-friendly wrappers too. I'd recommend > > @yuezk's https://github.com/yuezk/GlobalProtect-openconnect > > > > -Dan > > > > > ___ > openconnect-devel mailing list > openconnect-devel@lists.infradead.org > http://lists.infradead.org/mailman/listinfo/openconnect-devel ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: openconnect with SAML and GlobalProtect
(Grumble. Thunderbird really doesn't like plain text, my apologies if this comes out poorly). I guess I really just figured since I did the login dance already, I just need to coerce openconnect (somehow) with the data in that XML file. Perhaps I did not make this very clear in the original post, I actually have this automated with some silly python and zenity, so I was hoping the last step would just be 'run openconnect passing this XML/data/whatever'. OK, I'll take another look at the gp-saml-gui code to see how it performs that last step, or uses the script. Thanks, Michel On 5/21/20 3:05 PM, Daniel Lenski wrote: > Michel wrote: >> - Go to https://vpn.example.com/global-protect/getconfig.esp, passing >> in the user=j...@example.com and prelogin-cookie=C4xyzzyxyzzy... >> which gives me a big XML file, which includes towards the end >> ABCAverylargestringindeed= >> empty >> XyzzYAShorterstring== > > Quite honestly, count me as impressed that you managed to do the whole > SAML authentication "by hand." (It's a confusing pain, isn't it?) > > Since you clearly know what you're doing here more than most users who > attempt it, hopefully you'll be able to give us some insightful > feedback on what does/doesn't work in the scripts that automate this… > :-D > >> But now I'm stuck. What magic incarnation of the openconnect command line do I use now? > > OpenConnect doesn't (yet) have the ability to handle the SAML > authentication by itself, so you need a helper script. > > I'm partial to https://github.com/dlenski/gp-saml-gui/ because (a) it > can log what it's doing in a way that makes sense to the OpenConnect > developers and (b) it uses the same output format as `openconnect > --authenticate`, and (c) I wrote it, whence (a). > > There are several more GUI-friendly wrappers too. I'd recommend > @yuezk's https://github.com/yuezk/GlobalProtect-openconnect > > -Dan > ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: openconnect with SAML and GlobalProtect
Michel wrote: > - Go to https://vpn.example.com/global-protect/getconfig.esp, passing > in the user=j...@example.com and prelogin-cookie=C4xyzzyxyzzy... > which gives me a big XML file, which includes towards the end > ABCAverylargestringindeed= > empty > XyzzYAShorterstring== Quite honestly, count me as impressed that you managed to do the whole SAML authentication "by hand." (It's a confusing pain, isn't it?) Since you clearly know what you're doing here more than most users who attempt it, hopefully you'll be able to give us some insightful feedback on what does/doesn't work in the scripts that automate this… :-D > But now I'm stuck. What magic incarnation of the openconnect command line do > I use now? OpenConnect doesn't (yet) have the ability to handle the SAML authentication by itself, so you need a helper script. I'm partial to https://github.com/dlenski/gp-saml-gui/ because (a) it can log what it's doing in a way that makes sense to the OpenConnect developers and (b) it uses the same output format as `openconnect --authenticate`, and (c) I wrote it, whence (a). There are several more GUI-friendly wrappers too. I'd recommend @yuezk's https://github.com/yuezk/GlobalProtect-openconnect -Dan On Thu, May 21, 2020 at 3:47 AM Michel wrote: > > Hi there. My place of employment recently deployed a Palo Alto > GobalProtect device. It's set up with SAML and Two-Factor > authentication. Looking through a bunch of posts on the internet > including: > https://github.com/dlenski/openconnect/blob/globalprotect/PAN_GlobalProtect_protocol_doc.md > https://github.com/dlenski/openconnect/issues/149 > https://github.com/dlenski/gp-saml-gui/ > http://www.infradead.org/openconnect/globalprotect.html > > I got to the point where I can go through the following: > > - Go to https://vpn.example.com/global-protect/prelogin.esp > - Follow the login SAML trail back to https://vpn.example.com/SAML20/SP/ACS > + See the result in that response (formatted for readability): >Login Successful! > > > - Go to https://vpn.example.com/global-protect/getconfig.esp, passing >in the user=j...@example.com and prelogin-cookie=C4xyzzyxyzzy... >which gives me a big XML file, which includes towards the end > ABCAverylargestringindeed= > empty > XyzzYAShorterstring== > > But now I'm stuck. What magic incarnation of the openconnect command > line do I use now? > > I tried (with different cookies): > cookie="ABCAverylargestringindeed=" > echo "$cookie" | \ > sudo openconnect --protocol=gp --usergroup > portal:portal-userauthcookie \ > --user=j...@example.com vpn.example.com > > echo "$cookie" | \ > sudo openconnect --protocol=gp --user='j...@example.com' > --os=win --usergroup=prelogin-cookie:gateway > --passwd-on-stdin vpn.example.com > > But it seems to fail with 'Unexpected 512 result from server' and > still want to go to > 'POST https://vpn.example.com/global-protect/getconfig.esp' > > Sorry for the rather basic question, but I haven't found what to do next > anywhere I looked. > > Thanks! > > Michel > > > ___ > openconnect-devel mailing list > openconnect-devel@lists.infradead.org > http://lists.infradead.org/mailman/listinfo/openconnect-devel ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
openconnect with SAML and GlobalProtect
Hi there. My place of employment recently deployed a Palo Alto GobalProtect device. It's set up with SAML and Two-Factor authentication. Looking through a bunch of posts on the internet including: https://github.com/dlenski/openconnect/blob/globalprotect/PAN_GlobalProtect_protocol_doc.md https://github.com/dlenski/openconnect/issues/149 https://github.com/dlenski/gp-saml-gui/ http://www.infradead.org/openconnect/globalprotect.html I got to the point where I can go through the following: - Go to https://vpn.example.com/global-protect/prelogin.esp - Follow the login SAML trail back to https://vpn.example.com/SAML20/SP/ACS + See the result in that response (formatted for readability): Login Successful! - Go to https://vpn.example.com/global-protect/getconfig.esp, passing in the user=j...@example.com and prelogin-cookie=C4xyzzyxyzzy... which gives me a big XML file, which includes towards the end ABCAverylargestringindeed= empty XyzzYAShorterstring== But now I'm stuck. What magic incarnation of the openconnect command line do I use now? I tried (with different cookies): cookie="ABCAverylargestringindeed=" echo "$cookie" | \ sudo openconnect --protocol=gp --usergroup portal:portal-userauthcookie \ --user=j...@example.com vpn.example.com echo "$cookie" | \ sudo openconnect --protocol=gp --user='j...@example.com' --os=win --usergroup=prelogin-cookie:gateway --passwd-on-stdin vpn.example.com But it seems to fail with 'Unexpected 512 result from server' and still want to go to 'POST https://vpn.example.com/global-protect/getconfig.esp' Sorry for the rather basic question, but I haven't found what to do next anywhere I looked. Thanks! Michel ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel