collective/nu-vpn-proxy
17
0
Fork 0
Code
5d9f17d8ee
nu-vpn-proxy/README-GP-SAML.md
Benjamin Mako Hill 2970f2c702 updated to new version fo gp-saml-gui and new api 
Apparently new versions of GP hav changed the SAML API some. The
openconnect command now requires --gateway so this has been added.

I haven't tested the general and http scripts but I assume they
work. Someone else should verify.
2023-06-28 12:42:28 -07:00

143 lines
5.3 KiB
Markdown
Raw Blame History

gp-saml-gui
===========
[![Test Workflow Status](https://github.com/dlenski/gp-saml-gui/workflows/build/badge.svg)](https://github.com/dlenski/gp-saml-gui/actions/workflows/test.yml)
Table of Contents
=================
* [Introduction](#introduction)
* [Installation](#installation)
* [First, non-Python Dependencies](#first-non-python-dependencies)
* [Second, gp-saml-gui itself](#second-gp-saml-gui-itself)
* [How to use](#how-to-use)
* [Extra arguments to OpenConnect](#extra-arguments-to-openconnect)
* [License](#license)
Introduction
============
This is a helper script to allow you to interactively login to a GlobalProtect VPN
that uses [SAML](https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language)
authentication, so that you can subsequently connect with [OpenConnect](https://www.infradead.org/openconnect).
(The GlobalProtect protocol is supported in OpenConnect v8.0 or newer; v8.06+ is recommended.)
Interactive login is, unfortunately, sometimes a necessary alternative to automated
login via scripts such as
[zdave/openconnect-gp-okta](https://github.com/zdave/openconnect-gp-okta).
This script is known to work with many GlobalProtect VPNs using the major single-sign-on (SSO) providers:
- Okta (sign-in URLs typically `https://<company>.okta.com/login/*`)
- Microsoft (sign-in URLs typically `https://login.microsoftonline.com/*`)
Please search and file [issues](https://github.com/dlenski/gp-saml-gui/issues) if you can report success
or failure with other SSO SAML providers.
Installation
============
First, non-Python Dependencies
------------------------------
gp-saml-gui uses GTK, which requires Python 3 bindings.
On Debian / Ubuntu, these are packaged as `python3-gi`, `gir1.2-gtk-3.0`, and
`gir1.2-webkit2-4.0`:
```
$ sudo apt install python3-gi gir1.2-gtk-3.0 gir1.2-webkit2-4.0
```
On Fedora (and possibly RHEL/CentOS) the matching libraries are packaged in
`python3-gobject`, `gtk3-devel`, and `webkit2gtk3-devel`:
```
$ sudo dnf install python3-gobject gtk3-devel webkit2gtk3-devel
```
On Arch Linux, the libraries are packaged in `gtk3`, `gobject-introspection`
and `webkit2gtk`:
```
$ sudo pacman -S gtk3 gobject-introspection webkit2gtk
```
Second, gp-saml-gui itself
--------------------------
Install gp-saml-gui itself using `pip`:
```
$ pip3 install https://github.com/dlenski/gp-saml-gui/archive/master.zip
...
$ gp-saml-gui
usage: gp-saml-gui [-h] [--no-verify] [-C COOKIES | -K] [-p | -g] [-c CERT]
[--key KEY] [-v | -q] [-x | -P | -S] [-u]
[--clientos {Windows,Linux,Mac}] [-f EXTRA]
server [openconnect_extra [openconnect_extra ...]]
gp-saml-gui: error: the following arguments are required: server, openconnect_extra
```
How to use
==========
Specify the GlobalProtect server URL (portal or gateway) and optional
arguments, such as `--clientos=Windows` (because many GlobalProtect
servers don't require SAML login, but apparently omit it in their configuration
for OSes other than Windows).
This script will pop up a [GTK WebKit2 WebView](https://webkitgtk.org/) window
alongside your terminal window (see this [screenshot](screenshot.png)).
After you successfully complete the SAML login via web forms, the script will output
`HOST`, `USER`, `COOKIE`, and `OS` variables in a form that can be used by
[OpenConnect](http://www.infradead.org/openconnect/juniper.html)
(similar to the output of `openconnect --authenticate`):
```sh
$ eval $( gp-saml-gui --gateway --clientos=Windows vpn.company.com )
Got SAML POST content, opening browser...
Finished loading about:blank...
Finished loading https://company.okta.com/app/panw_globalprotect/deadbeefFOOBARba1234/sso/saml...
Finished loading https://company.okta.com/login/sessionCookieRedirect...
Finished loading https://vpn.qorvo.com/SAML20/SP/ACS...
Got SAML relevant headers, done: {'prelogin-cookie': 'blahblahblah', 'saml-username': 'foo12345@corp.company.com', 'saml-slo': 'no', 'saml-auth-status': '1'}
SAML response converted to OpenConnect command line invocation:
echo 'blahblahblah' |
openconnect --protocol=gp --user='foo12345@corp.company.com' --os=win --usergroup=gateway:prelogin-cookie --passwd-on-stdin vpn.company.com
$ echo $HOST; echo $USER; echo $COOKIE; echo $OS
https://vpn.company.com/gateway:prelogin-cookie
foo12345@corp.company.com
blahblahblah
win
$ echo "$COOKIE" | openconnect --protocol=gp -u "$USER" --os="$OS" --passwd-on-stdin "$HOST"
```
If you specify either the `-P`/`--pkexec-openconnect` or `-S`/`--sudo-openconnect` options, the script
will automatically invoke OpenConnect as described, using either [`pkexec` from Polkit](https://www.freedesktop.org/software/polkit/docs/0.106/polkit.8.html)
or [`sudo`](https://www.sudo.ws/), as specified.
# Extra Arguments to OpenConnect
Extra arguments needed for OpenConnect can be specified by adding ` -- ` to the command line, and then
appending these. For example:
```sh
$ gp-saml-gui -P --gateway --clientos=Windows vpn.company.com -- --csd-wrapper=hip-report.sh
Launching OpenConnect with pkexec, equivalent to:
echo blahblahblahlongrandomcookievalue |
sudo openconnect --protocol=gp --user=foo12345@corp.company.com --os=win --usergroup=gateway:prelogin-cookie --passwd-on-stdin vpn.company.com
<pkexec authentication dialog pops up>
<openconnect runs>
```
License
=======
GPLv3 or newer
View Git Blame Copy Permalink