From: Daniel Lenski Date: Mon, 25 Sep 2023 14:14:37 +0000 (-0700) Subject: Send 'cas-support=yes' in GlobalProtect prelogin request X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=026cd2d6aa18f7d2292b3993f64e37773e8a79dd;p=users%2Fdwmw2%2Fopenconnect.git Send 'cas-support=yes' in GlobalProtect prelogin request Per https://gitlab.com/openconnect/openconnect/-/issues/651, some newer GP servers are responding to prelogin.esp requests with an error: CAS is not supported by the client. Minimum client version is 6.0 It appears that CAS ("Central Authentication Server"; https://apereo.github.io/cas/index.html) is a standardized single-sign-on protocol requiring an external browser. Per https://gitlab.com/openconnect/openconnect/-/issues/651#note_1576596243, the field 'cas-support=yes' needs to be sent in the POST *body* of the prelogin request, in order to avoid this error message; the error message's claim that a specific client software version is necessary isn't very helpful. Signed-off-by: Daniel Lenski --- diff --git a/auth-globalprotect.c b/auth-globalprotect.c index c09fddee..feed3c93 100644 --- a/auth-globalprotect.c +++ b/auth-globalprotect.c @@ -646,7 +646,10 @@ static int gpst_login(struct openconnect_info *vpninfo, int portal, struct login } } /* submit prelogin request to get form */ - result = do_https_request(vpninfo, "POST", NULL, NULL, &xml_buf, NULL, HTTP_REDIRECT); + buf_truncate(request_body); + if (!vpninfo->no_external_auth) + buf_append(request_body, "cas-support=yes"); + result = do_https_request(vpninfo, "POST", "application/x-www-form-urlencoded", request_body, &xml_buf, NULL, HTTP_REDIRECT); if (!keep_urlpath) { free(vpninfo->urlpath); vpninfo->urlpath = orig_path;