collective/nu-vpn-proxy
17
0
Fork 0
Code
21 Commits 1 Branch 0 Tags 198 KiB
Python 81%
Shell 19%
d8929a47d1
Go to file
Daniel Lenski d8929a47d1 minimal .travis.yml (just verifies that script can be byte-compiled)
2020-03-23 12:58:17 -07:00
.travis.yml minimal .travis.yml (just verifies that script can be byte-compiled) 2020-03-23 12:58:17 -07:00
gp-saml-gui.py we have reports of prelogin-cookie used for portal login; don't do interface switcheroo by default, just mention it 2020-03-23 12:58:17 -07:00
LICENSE initial commit 2019-09-16 19:57:48 -07:00
README.md minimal .travis.yml (just verifies that script can be byte-compiled) 2020-03-23 12:58:17 -07:00
requirements.txt minimal .travis.yml (just verifies that script can be byte-compiled) 2020-03-23 12:58:17 -07:00
test-globalprotect-login.py fix too-hurried ambiguity warnings, fix b64 encoding for SAML REDIRECT too 2020-03-23 12:32:39 -07:00

README.md

Build Status

gp-saml-gui

This is a helper script to allow you to interactively login to a GlobalProtect VPN that uses SAML authentication.

Interactive login is, unfortunately, sometimes a necessary alternative to automated login via scripts such as zdave/openconnect-gp-okta.

Installation

gp-saml-gui uses GTK, which requires Python 3 bindings.

On Debian / Ubuntu, these are packaged as python3-gi, gir1.2-gtk-3.0, and gir1.2-webkit2-4.0:

$ sudo apt install python3-gi gir1.2-gtk-3.0 gir1.2-webkit2-4.0

Then, set up a virtual environment that can access these system packages, activate it, and install the Python dependencies:

$ virtualenv --python=python3 --system-site-packages venv
$ . venv/bin/activate
$ pip install requests

How to use

Specify the GlobalProtect server URL (portal or gateway) and optional arguments, such as --clientos=Windows (because many GlobalProtect servers don't require SAML login, but apparently omit it in their configuration for OSes other than Windows).

This script will pop up a GTK WebKit2 WebView window. After you succesfully complete the SAML login via web forms, the script will output HOST, USER, COOKIE, and OS variables in a form that can be used by OpenConnect (similar to the output of openconnect --authenticate):

$ eval $( gp-saml-gui.py --clientos=Windows vpn.company.com )
Got SAML POST content, opening browser...
Finished loading about:blank...
Finished loading https://company.okta.com/app/panw_globalprotect/deadbeefFOOBARba1234/sso/saml...
Finished loading https://company.okta.com/login/sessionCookieRedirect...
Finished loading https://vpn.qorvo.com/SAML20/SP/ACS...
Got SAML relevant headers, done: {'prelogin-cookie': 'blahblahblah', 'saml-username': 'foo12345@corp.company.com', 'saml-slo': 'no', 'saml-auth-status': '1'}

SAML response converted to OpenConnect command line invocation:

    echo 'blahblahblah' |
        openconnect --protocol=gp --user='foo12345@corp.company.com' --os=win --usergroup=prelogin-cookie:gateway --passwd-on-stdin vpn.company.com

$ echo $HOST; echo $USER; echo $COOKIE; echo $OS
https://vpn.company.com/gateway:prelogin-cookie
foo12345@corp.company.com
blahblahblah
win

$ echo "$COOKIE" | openconnect --protocol=gp -u "$USER" --os="$OS" --passwd-on-stdin "$HOST"

TODO

  • Packaging

License

GPLv3 or newer