Bug#1001555: openconnect: can't connect to server that use SSO SAML with protocol "anyconnect"
Antonio
Package: openconnect
Version: 8.10-3
Severity: normal
Dear Maintainer,
after the recent OpenConnect update, now it correctly detect the
authgrouops available on a server
that uses double SSO SAML authentication (protocol anyconnect),
but if I try connecting returns the warning:
$ openconnect
--authgroup=mygroup myserver
POST XML
abilitato
Please
complete the authentication process in the AnyConnect Login
window.
No SSO handler
Failed to obtain WebVPN cookie
If I include the "os" parameter in the command line
(with: "linux", "apple-ios" or "android"):
$ openconnect --authgroup=mygroup --os=linux myserver
the server goes into a LOOP by asking for username and password.
If I indicate other OS, instead, I get
the previous warning message.
Thanks,
Antonio
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable
APT policy: (700, 'unstable'), (500, 'stable-updates'), (500,
'stable-security'), (500, 'stable'), (100, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.15.7-custom (SMP w/16 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)
(ignored: LC_ALL set to it_IT.UTF-8), LANGUAGE=it
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages openconnect depends on:
ii libc6 2.32-5
ii libgnutls30 3.7.2-2
ii libopenconnect5 8.10-3
ii libproxy1v5 0.4.17-1
ii libxml2 2.9.12+dfsg-5+b1
ii vpnc-scripts 0.1~git20210402-1
Versions of packages openconnect recommends:
ii python3 3.9.8-1
ii python3-asn1crypto 1.4.0-1
ii python3-mechanize 1:0.4.5-2
ii python3-netifaces 0.11.0-1+b1
Luca Boccassi
> Package: openconnect
> Version: 8.10-3
> Severity: normal
>
> Dear Maintainer,
> after the recent OpenConnect update, now it correctly detect the
> authgrouops available on a server that uses double SSO SAML
> authentication (protocol anyconnect), but if I try connecting returns
> the warning:
>
> $ openconnect --authgroup=mygroup myserver
>
> POST XML abilitato
> Please complete the authentication process in the AnyConnect Login
window.
> No SSO handler
> Failed to obtain WebVPN cookie
>
> If I include the "os" parameter in the command line (with: "linux",
> "apple-ios" or "android"):
>
> $ openconnect --authgroup=mygroup --os=linux myserver
>
> the server goes into a LOOP by asking for username and password.
>
> If I indicate other OS, instead, I get the previous warning message.
>
> Thanks,
> Antonio
together with network-manager-openconnect, where the GUI-side is
implemented. Give that a shot, it was uploaded a couple of hours ago so
it should be available soon.
--
Kind regards,
Luca Boccassi
Antonio
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-store
Pragma: no-cache
Connection: Keep-Alive
Date: Tue, 14 Dec 2021 07:49:44 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'
X-Aggregate-Auth: 1
HTTP body chunked (-2)
POST XML abilitato
POST https://myserver/
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-store
Pragma: no-cache
Connection: Keep-Alive
Date: Tue, 14 Dec 2021 07:49:46 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'
X-Aggregate-Auth: 1
HTTP body chunked (-2)
POST XML abilitato
No SSO handler
Antonio
>Does the GTK browser window pop up?
if I try with gnone interface i get "No SSO handler" again.
It seems to be a protocol problem.
Il 14/12/21 11:50, Luca Boccassi ha scritto:
Jérôme Pouiller
would be great if we could keep compatibility with existing scripts.
[1]: https://github.com/dlenski/gp-saml-gui
--
Jérôme Pouiller
Antonio
Dear maintainer,
I tried the updated version of OpenConnect.
---
From GNOME interface:
- When the VPN is active, the form for the insertion of username and password appears.
- Provide access credentials I receive notification from Microsoft Authenticator
- confirmed identity via authenticator, the "remain connected" form appears and I reply "yes"
The page is then shown:
"Cisco AnyConnect Secure Mobility Client""You have successfully authenticated. You may now close this browser tab"
Now the VPN should be active but if I try from terminal or browser I can't access the VPN network, despite successfully executed all the steps.
If I close the browser page, as indicated, the network menu indicates that the VPN is off.
Or rather, I think it's never started.
Journal reports: "Final Secrets Request Failed to Provide Sufficient Secrets"---
From KDE interface:
- same configuration
- I can now select correct AUTHGROUP
However, when I click on the "Access" button, the form does not appear to insert the credentials.
Unlike the GNOME interface, the log log continues to report the message "No SSO Handler".
Thank you,
Antonio
Control: tag -1 pending Hello, Bug #1001555 in openconnect reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/debian/openconnect/-/commit/145c237a574d06f348d0147390f33b5993e5b52d ------------------------------------------------------------------------ Update SAML patch Correctly detect termination on Anyconnect + Google SAML. Also restore backward compatibility for legacy CLI based workflow. Closes: #1001555 Gbp-Dch: full ------------------------------------------------------------------------ (this message was generated automatically)
Luca Boccassi
> Dear maintainer,
> I tried the updated version of OpenConnect.
>
> ---
>
> From GNOME interface:
>
> - When the VPN is active, the form for the insertion of username and
> password appears.
> - Provide access credentials I receive notification from Microsoft
> Authenticator
> - confirmed identity via authenticator, the "remain connected" form
> appears and I reply "yes"
>
> The page is then shown:
>
> "Cisco AnyConnect Secure Mobility Client"
> "You have successfully authenticated. You may now close this browser
> tab"
>
> Now the VPN should be active but if I try from terminal or browser I
> can't access the VPN network, despite successfully executed all the
> steps.
>
> If I close the browser page, as indicated, the network menu indicates
> that the VPN is off.
>
> Or rather, I think it's never started.
>
> Journal reports: "Final Secrets Request Failed to Provide Sufficient
> Secrets"
of users with AnyConnect and other SAML providers working fine with the
latest version.
There also was an unfixed issue with some newer AnyConnect servers that
was fixed with yesterday's upload, try and have a look if that makes a
difference.
If it doesn't, it sounds like you need to debug it to figure out where
it's going wrong - you can run the auth dialog in gdb and walkthrough
the code as such:
- install network-manager-openconnect-dbgsym network-manager-
openconnect-gnome-dbgsym openconnect-dbgsym libopenconnect5
-dbgsym
- create a local script somewhere with something like:
#!/bin/bash
gdbserver localhost:12345 /usr/lib/NetworkManager/nm-openconnect-auth-dialog $@
- edit temporarily /usr/lib/NetworkManager/VPN/nm-openconnect-
service.name and change auth-dialog to point to the script above
Then you'll be able to connect with gdb and debug as usual after
activating the VPN via the Gnome GUI.
> ---
>
> From KDE interface:
>
> - same configuration
>
> - I can now select correct AUTHGROUP
>
> However, when I click on the "Access" button, the form does not
> appear
> to insert the credentials.
>
> Unlike the GNOME interface, the log log continues to report the
> message
> "No SSO Handler".
>
> Thank you,
> Antonio
to make it happen.
>
> Il 31/12/21 01:34, Luca Boccassi ha scritto:
> > Control: tag -1 pending
> >
> > Hello,
> >
> > Bug #1001555 in openconnect reported by you has been fixed in the
> > Git repository and is awaiting an upload. You can see the commit
> > message below and you can check the diff of the fix at:
> >
> > https://salsa.debian.org/debian/openconnect/-/commit/145c237a574d06f348d0147390f33b5993e5b52d
> >
> > -------------------------------------------------------------------
> > -----
> > Update SAML patch
> >
> > Correctly detect termination on Anyconnect + Google SAML.
> > Also restore backward compatibility for legacy CLI based workflow.
> >
> > Closes: #1001555
> >
> > Gbp-Dch: full
> > -------------------------------------------------------------------
> > -----
> >
> > (this message was generated automatically)
Antonio
install the debug packages and updated the version of
OpenConnect/Libopenconnect5 to 8.10-5 the VPN works and remain active.
For try, I removed debug packages and downgraded the others to version
8.10-4, to return to the problem, but strangely it continued to work
(while before, with the same OpenConnect version installed, it didn't work).
As for Plasma/KDE, the desktop that I use, I opened a bug on Bugzilla
https://bugs.kde.org/show_bug.cgi?id=448153
Il 05/01/22 17:54, Luca Boccassi ha scritto: