[SOLVED] Openconnect with SSO Authentication

natervance · 2022-06-08 18:08:41

Until recently, I've been using the AUR package openconnect-sso for connecting to my university's SSO authenticated Cisco Anyconnect VPN (for freedom/security reasons I consider Cisco's software a last resort). Unfortunately, it appears that upstream is stalled in that it hasn't been updated in about 6 months. As required modules can no longer be fulfilled using official packages (e.g., pyxdg<0.28,>=0.26), I'm looking for alternatives.

Poking around, it appears that the official openconnect now supports SSO authentication, although attempting to do so produces the following error (omitting some identifying information):

me@archbox ~ $ openconnect https://XXX --verbose
POST https://XXX
Attempting to connect to server YYY.YYY.YYY.YYY:443
Connected to YYY.YYY.YYY.YYY:443
SSL negotiation with XXX
Connected to HTTPS on XXX with ciphersuite (TLS1.2)-(DHE-CUSTOM2048)-(RSA-SHA512)-(AES-256-CBC)-(SHA256)
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-store
Pragma: no-cache
Connection: Keep-Alive
Date: Wed, 08 Jun 2022 17:53:20 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'
X-Aggregate-Auth: 1
HTTP body chunked (-2)
XML POST enabled
Please complete the authentication process in the AnyConnect Login window.
No SSO handler
Failed to complete authentication

According to this thread, the SSO handler should work when used with NetworkManager, and so I configured the VPN connection in nm-connection-editor (set Gateway to https://XXX) and attempted to activate via nm-applet -> VPN Connections -> VPN NAME. The VPN host field has "https:" as the only option, and when clicking Connect, the log prints "No SSO handler" followed by most of the contents of the CLI verbose message above, ending with "XML POST enabled". Meanwhile the GUI reports "Please complete the authentication process in the AnyConnect Login window", making me believe that the GUI merely runs the CLI command and (sorta) parses the output.

Am I missing any required packages to make this work? Or do I need to somehow tell openconnect to use firefox as an SSO handler? Thanks for any help.

Last edited by natervance (2022-06-08 19:50:40)

progandy · 2022-06-08 18:23:20

I guess you'll have to use the development version of networkmanager-openconnect. There is no upstream release with the feature, Debian ships with patches. There is a PKGBUILD for a fork in the AUR called networkmanager-openconnect-useragent-git. You can either use that or modify it to build the upstream version (https://gitlab.gnome.org/GNOME/NetworkM … penconnect)

Another option seems to be globalprotect-openconnect instead of networkmanager.

Last edited by progandy (2022-06-08 18:26:17)

natervance · 2022-06-08 19:50:17

Thank you for your tips.

I attempted the networkmanager-openconnect-useragent-git route, which pops up the SSO window correctly and takes my username/password/TOTP token. However, the log and GUI both report "XML response has no "auth" node", and after a delay systemctl status NetworkManager reports "secrets: failed to request VPN secrets #3: No agents were available for this request." Suspecting an issue with gnome-keyring (which I've installed but am on i3), I verified that it's running:

me@archbox ~ $ ps ax | grep gnome-keyring
    617 ?        SLsl   0:00 /usr/bin/gnome-keyring-daemon --foreground --components=pkcs11,secrets --control-directory=/run/user/1000/keyring
   4808 pts/1    S+     0:00 grep gnome-keyring

And it's started with .xinitrc:

me@archbox ~ $ cat ~/.xinitrc
eval $(/usr/bin/gnome-keyring-daemon --start)
export SSH_AUTH_SOCK
source /etc/X11/xinit/xinitrc.d/50-systemd-user.sh
xrdb -merge ~/.Xresources
exec i3

(Also, /etc/pam.d/login is modified as per the wiki article). I've also tried manually unlocking my keyring via seahorse, but receive the same error.

Switching approaches, I installed globalprotect-openconnect, but it segfaults when parsing the gateway response:

$ gpclient
2022-06-08 15:29:02.150 INFO  [6877] [main@24] GlobalProtect started, version: 1.4.7
2022-06-08 15:29:02.445 INFO  [6877] [GPClient::populateGatewayMenu@139] Populating the Switch Gateway menu...
2022-06-08 15:29:04.165 INFO  [6877] [GPClient::populateGatewayMenu@139] Populating the Switch Gateway menu...
2022-06-08 15:29:04.277 INFO  [6877] [GPClient::doConnect@244] Start connecting...
2022-06-08 15:29:04.278 INFO  [6877] [GPClient::doConnect@260] Start gateway login using the previously saved gateway...
2022-06-08 15:29:04.278 INFO  [6877] [GPClient::gatewayLogin@367] Performing gateway login...
2022-06-08 15:29:04.284 INFO  [6877] [GatewayAuthenticator::authenticate@33] Start gateway authentication...
2022-06-08 15:29:04.284 INFO  [6877] [GatewayAuthenticator::login@46] Trying to login the gateway at https://XXX/ssl-vpn/login.esp with prot=https%3A&server=&jnlpReady=jnlpReady&computer=archbox&ok=Login&direct=yes&clientVer=4100&os-version=Arch Linux&portal-prelogonuserauthcookie=&prelogin-cookie=&ipv6-support=yes&user=&passwd=&portal-userauthcookie=&inputStr=
2022-06-08 15:29:04.494 INFO  [6877] [gpclient::helper::parseGatewayResponse@52] Start parsing the gateway response...
2022-06-08 15:29:04.494 INFO  [6877] [gpclient::helper::parseGatewayResponse@53] The gateway response is:
Segmentation fault (core dumped)

And so, my workaround is to resurrect openconnect-sso with a python virtualenv. Luckily pip was still able to resolve dependencies correctly:

python -m venv openconnect-sso
source openconnect-sso/bin/activate
pip install openconnect-sso
pip install pyqt5
pip install PyQtWebEngine
export QTWEBENGINE_CHROMIUM_FLAGS="--no-sandbox" # see https://github.com/vlaci/openconnect-sso/issues/69
openconnect-sso

Marking as solved, albeit not in a satisfactory way.

progandy · 2022-06-08 20:22:13

One thing you can try with the networkmanager plugin fork is setting the user agent to "AnyConnect Linux_64 4.7.00136".

natervance · 2022-06-09 13:44:22

That unfortunately didn't work for me either, but that's a good idea!

burny02 · 2022-08-19 12:39:28

I think I'm in the same boat as you with the SSO handler.

globalprotect-openconnect I'm getting the same error.

Can't build networkmanager-openconnect-useragent-git as webkit is a different version

Did you manage to make any progress on this?

Severmateus · 2023-02-06 06:04:28

You can overcome the SSO Authentication using aur/networkmanager-openconnect-useragent-git and aur/openconnect-git.

Last edited by Severmateus (2023-02-06 06:06:20)

jal · 2024-04-03 14:15:01

pipx worked for me:
https://pypi.org/project/openconnect-sso

Cue mods Necrobump closing in 3..2..

Arch Linux

#1 2022-06-08 18:08:41

[SOLVED] Openconnect with SSO Authentication

#2 2022-06-08 18:23:20

Re: [SOLVED] Openconnect with SSO Authentication

#3 2022-06-08 19:50:17

Re: [SOLVED] Openconnect with SSO Authentication

#4 2022-06-08 20:22:13

Re: [SOLVED] Openconnect with SSO Authentication

#5 2022-06-09 13:44:22

Re: [SOLVED] Openconnect with SSO Authentication

#6 2022-08-19 12:39:28

Re: [SOLVED] Openconnect with SSO Authentication

#7 2023-02-06 06:04:28

Re: [SOLVED] Openconnect with SSO Authentication

#8 2024-04-03 14:15:01

Re: [SOLVED] Openconnect with SSO Authentication

Board footer