]> www.infradead.org Git - users/dwmw2/openconnect.git/commit
projects / users / dwmw2 / openconnect.git / commit
summary | shortlog | log | commit | commitdiff | tree
(parent: 03a3b9c) | patch
Support AnyConnect single-sign-on-v2
authorSteven Walter <stevenrwalter@gmail.com>
Wed, 18 Mar 2020 16:36:25 +0000 (12:36 -0400)
committerLuca Boccassi <bluca@debian.org>
Wed, 23 Feb 2022 19:22:53 +0000 (19:22 +0000)
commit024336a8ddeb1754ae5e8fb18770e90c206070b1
treec2cd9b84315a24c1113e1029ad97b4554b5bd56dtree
parent03a3b9c76a9b6d0a65073b6bebbc1192e3445507commit | diff
Support AnyConnect single-sign-on-v2

Advertise support for auth-method single-sign-on-v2.  This, combined
with not sending X-AnyConnect-Platform and X-Support-HTTP-Auth, allows
one to complete a web-based SSO authentication.  Server replies with a
response like:

    <?xml version="1.0" encoding="UTF-8"?>
    <config-auth client="vpn" type="auth-request" aggregate-auth-version="2">
    <opaque is-for="sg">
    <tunnel-group>standard-group</tunnel-group>
    <auth-method>single-sign-on-v2</auth-method>
    <group-alias>Anyconnect</group-alias>
    <config-hash>1584128676139</config-hash>
    </opaque>
    <auth id="main">
    <title>Login</title>
    <message>Please complete the authentication process in the AnyConnect Login window.</message>
    <banner></banner>
    <sso-v2-login>https://SERVER_NAME/+CSCOE+/saml/sp/login?tgname=standard-group&#x26;acsamlcap=v2</sso-v2-login>
    <sso-v2-login-final>https://SERVER_NAME/+CSCOE+/saml_ac_login.html</sso-v2-login-final>
    <sso-v2-token-cookie-name>acSamlv2Token</sso-v2-token-cookie-name>
    <sso-v2-error-cookie-name>acSamlv2Error</sso-v2-error-cookie-name>
    <form>
    <input type="sso" name="sso-token"></input>
    <select name="group_list" label="GROUP:">
    <option selected="true">Anyconnect</option>
    </select>
    </form>
    </auth>
    </config-auth>

If either X-AnyConnect-Platform or X-Support-HTTP-Auth is present, then
this response is not received, and a 302 redirect to the "standard" auth
flow is given.  However, this auth flow does not work on my VPN server;
presumably it is administratively disabled.

Once you get the above response, you can open the URL from sso-v2-login
in an HTML viewer and complete the steps.  This requires an openconnect
front-end that supports the open_webview callback.  Eventually you end
up at the URL from sso-v2-login-final, and then you can extract the
cookie with the name in sso-v2-token-cookie-name (acSamlv2Token, in this
case).

Neither samlwebcookie nor openconnect-sso, mentioned in #84, worked for
me.

Signed-off-by: Steven Walter <steven@stevenwalter.org>
Co-authored-by: Luca Boccassi <luca.boccassi@microsoft.com>
auth.c diff | blob | history
library.c diff | blob | history
openconnect-internal.h diff | blob | history
openconnect.h diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.