Bug#1001555: openconnect: can't connect to server that use SSO SAML with protocol "anyconnect"
I did the test indicated on the Gnome interface, I noticed that once you install the debug packages and updated the version of OpenConnect/Libopenconnect5 to 8.10-5 the VPN works and remain active. For try, I removed debug packages and downgraded the others to version 8.10-4, to return to the problem, but strangely it continued to work (while before, with the same OpenConnect version installed, it didn't work). As for Plasma/KDE, the desktop that I use, I opened a bug on Bugzilla https://bugs.kde.org/show_bug.cgi?id=448153 Il 05/01/22 17:54, Luca Boccassi ha scritto: On Mon, 2022-01-03 at 20:08 +0100, Antonio wrote: Dear maintainer, I tried the updated version of OpenConnect. --- From GNOME interface: - When the VPN is active, the form for the insertion of username and password appears. - Provide access credentials I receive notification from Microsoft Authenticator - confirmed identity via authenticator, the "remain connected" form appears and I reply "yes" The page is then shown: "Cisco AnyConnect Secure Mobility Client" "You have successfully authenticated. You may now close this browser tab" Now the VPN should be active but if I try from terminal or browser I can't access the VPN network, despite successfully executed all the steps. If I close the browser page, as indicated, the network menu indicates that the VPN is off. Or rather, I think it's never started. Journal reports: "Final Secrets Request Failed to Provide Sufficient Secrets" Strange - but not unexpected, these VPNs are terrible. I have reports of users with AnyConnect and other SAML providers working fine with the latest version. There also was an unfixed issue with some newer AnyConnect servers that was fixed with yesterday's upload, try and have a look if that makes a difference. If it doesn't, it sounds like you need to debug it to figure out where it's going wrong - you can run the auth dialog in gdb and walkthrough the code as such: - install network-manager-openconnect-dbgsym network-manager- openconnect-gnome-dbgsym openconnect-dbgsym libopenconnect5 -dbgsym - create a local script somewhere with something like: #!/bin/bash gdbserver localhost:12345 /usr/lib/NetworkManager/nm-openconnect-auth-dialog $@ - edit temporarily /usr/lib/NetworkManager/VPN/nm-openconnect- service.name and change auth-dialog to point to the script above Then you'll be able to connect with gdb and debug as usual after activating the VPN via the Gnome GUI. --- From KDE interface: - same configuration - I can now select correct AUTHGROUP However, when I click on the "Access" button, the form does not appear to insert the credentials. Unlike the GNOME interface, the log log continues to report the message "No SSO Handler". Thank you, Antonio As the message implies, KDE is not supported, nobody has done the work to make it happen. Il 31/12/21 01:34, Luca Boccassi ha scritto: Control: tag -1 pending Hello, Bug #1001555 in openconnect reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/debian/openconnect/-/commit/145c237a574d06f348d0147390f33b5993e5b52d --- - Update SAML patch Correctly detect termination on Anyconnect + Google SAML. Also restore backward compatibility for legacy CLI based workflow. Closes: #1001555 Gbp-Dch: full --- - (this message was generated automatically)
Bug#1001555: openconnect: can't connect to server that use SSO SAML with protocol "anyconnect"
On Mon, 2022-01-03 at 20:08 +0100, Antonio wrote: > Dear maintainer, > I tried the updated version of OpenConnect. > > --- > > From GNOME interface: > > - When the VPN is active, the form for the insertion of username and > password appears. > - Provide access credentials I receive notification from Microsoft > Authenticator > - confirmed identity via authenticator, the "remain connected" form > appears and I reply "yes" > > The page is then shown: > > "Cisco AnyConnect Secure Mobility Client" > "You have successfully authenticated. You may now close this browser > tab" > > Now the VPN should be active but if I try from terminal or browser I > can't access the VPN network, despite successfully executed all the > steps. > > If I close the browser page, as indicated, the network menu indicates > that the VPN is off. > > Or rather, I think it's never started. > > Journal reports: "Final Secrets Request Failed to Provide Sufficient > Secrets" Strange - but not unexpected, these VPNs are terrible. I have reports of users with AnyConnect and other SAML providers working fine with the latest version. There also was an unfixed issue with some newer AnyConnect servers that was fixed with yesterday's upload, try and have a look if that makes a difference. If it doesn't, it sounds like you need to debug it to figure out where it's going wrong - you can run the auth dialog in gdb and walkthrough the code as such: - install network-manager-openconnect-dbgsym network-manager- openconnect-gnome-dbgsym openconnect-dbgsym libopenconnect5 -dbgsym - create a local script somewhere with something like: #!/bin/bash gdbserver localhost:12345 /usr/lib/NetworkManager/nm-openconnect-auth-dialog $@ - edit temporarily /usr/lib/NetworkManager/VPN/nm-openconnect- service.name and change auth-dialog to point to the script above Then you'll be able to connect with gdb and debug as usual after activating the VPN via the Gnome GUI. > --- > > From KDE interface: > > - same configuration > > - I can now select correct AUTHGROUP > > However, when I click on the "Access" button, the form does not > appear > to insert the credentials. > > Unlike the GNOME interface, the log log continues to report the > message > "No SSO Handler". > > Thank you, > Antonio As the message implies, KDE is not supported, nobody has done the work to make it happen. > > Il 31/12/21 01:34, Luca Boccassi ha scritto: > > Control: tag -1 pending > > > > Hello, > > > > Bug #1001555 in openconnect reported by you has been fixed in the > > Git repository and is awaiting an upload. You can see the commit > > message below and you can check the diff of the fix at: > > > > https://salsa.debian.org/debian/openconnect/-/commit/145c237a574d06f348d0147390f33b5993e5b52d > > > > --- > > - > > Update SAML patch > > > > Correctly detect termination on Anyconnect + Google SAML. > > Also restore backward compatibility for legacy CLI based workflow. > > > > Closes: #1001555 > > > > Gbp-Dch: full > > --- > > - > > > > (this message was generated automatically) -- Kind regards, Luca Boccassi signature.asc Description: This is a digitally signed message part
Bug#1001555: openconnect: can't connect to server that use SSO SAML with protocol "anyconnect"
Dear maintainer, I tried the updated version of OpenConnect. --- From GNOME interface: - When the VPN is active, the form for the insertion of username and password appears. - Provide access credentials I receive notification from Microsoft Authenticator - confirmed identity via authenticator, the "remain connected" form appears and I reply "yes" The page is then shown: "Cisco AnyConnect Secure Mobility Client" "You have successfully authenticated. You may now close this browser tab" Now the VPN should be active but if I try from terminal or browser I can't access the VPN network, despite successfully executed all the steps. If I close the browser page, as indicated, the network menu indicates that the VPN is off. Or rather, I think it's never started. Journal reports: "Final Secrets Request Failed to Provide Sufficient Secrets" --- From KDE interface: - same configuration - I can now select correct AUTHGROUP However, when I click on the "Access" button, the form does not appear to insert the credentials. Unlike the GNOME interface, the log log continues to report the message "No SSO Handler". Thank you, Antonio Il 31/12/21 01:34, Luca Boccassi ha scritto: Control: tag -1 pending Hello, Bug #1001555 in openconnect reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/debian/openconnect/-/commit/145c237a574d06f348d0147390f33b5993e5b52d Update SAML patch Correctly detect termination on Anyconnect + Google SAML. Also restore backward compatibility for legacy CLI based workflow. Closes: #1001555 Gbp-Dch: full (this message was generated automatically)
Bug#1001555: openconnect: can't connect to server that use SSO SAML with protocol "anyconnect"
Are you starting the VPN from Gnome's interface? No, I use plasma kde from Debian/sid Does the GTK browser window pop up? No if I try with gnone interface i get "No SSO handler" again. It seems to be a protocol problem. Il 14/12/21 11:50, Luca Boccassi ha scritto: No SSO handler Are you starting the VPN from Gnome's interface? Does the GTK browser window pop up?
Bug#1001555: openconnect: can't connect to server that use SSO SAML with protocol "anyconnect"
On Tue, 2021-12-14 at 08:57 +0100, Antonio wrote: > From GUI interface I can now select the correct group in the > ComboBox, however when I try to access I get the same result: "No SSO > handler". > > > > POST https://myserver/ > Got HTTP response: HTTP/1.1 200 OK > Content-Type: text/xml; charset=utf-8 > Transfer-Encoding: chunked > Cache-Control: no-store > Pragma: no-cache > Connection: Keep-Alive > Date: Tue, 14 Dec 2021 07:49:44 GMT > X-Frame-Options: SAMEORIGIN > Strict-Transport-Security: max-age=31536000; includeSubDomains > X-Content-Type-Options: nosniff > X-XSS-Protection: 1 > Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe- > eval' data: blob:; frame-ancestors 'self' > X-Aggregate-Auth: 1 > HTTP body chunked (-2) > POST XML abilitato > POST https://myserver/ > Got HTTP response: HTTP/1.1 200 OK > Content-Type: text/xml; charset=utf-8 > Transfer-Encoding: chunked > Cache-Control: no-store > Pragma: no-cache > Connection: Keep-Alive > Date: Tue, 14 Dec 2021 07:49:46 GMT > X-Frame-Options: SAMEORIGIN > Strict-Transport-Security: max-age=31536000; includeSubDomains > X-Content-Type-Options: nosniff > X-XSS-Protection: 1 > Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe- > eval' data: blob:; frame-ancestors 'self' > X-Aggregate-Auth: 1 > HTTP body chunked (-2) > POST XML abilitato > No SSO handler Are you starting the VPN from Gnome's interface? Does the GTK browser window pop up? -- Kind regards, Luca Boccassi signature.asc Description: This is a digitally signed message part
Bug#1001555: openconnect: can't connect to server that use SSO SAML with protocol "anyconnect"
>From GUI interface I can now select the correct group in the ComboBox, however when I try to access I get the same result: "No SSO handler". POST https://myserver/ Got HTTP response: HTTP/1.1 200 OK Content-Type: text/xml; charset=utf-8 Transfer-Encoding: chunked Cache-Control: no-store Pragma: no-cache Connection: Keep-Alive Date: Tue, 14 Dec 2021 07:49:44 GMT X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000; includeSubDomains X-Content-Type-Options: nosniff X-XSS-Protection: 1 Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self' X-Aggregate-Auth: 1 HTTP body chunked (-2) POST XML abilitato POST https://myserver/ Got HTTP response: HTTP/1.1 200 OK Content-Type: text/xml; charset=utf-8 Transfer-Encoding: chunked Cache-Control: no-store Pragma: no-cache Connection: Keep-Alive Date: Tue, 14 Dec 2021 07:49:46 GMT X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000; includeSubDomains X-Content-Type-Options: nosniff X-XSS-Protection: 1 Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self' X-Aggregate-Auth: 1 HTTP body chunked (-2) POST XML abilitato No SSO handler
Bug#1001555: openconnect: can't connect to server that use SSO SAML with protocol "anyconnect"
On Sun, 12 Dec 2021 08:57:19 +0100 Antonio wrote: > Package: openconnect > Version: 8.10-3 > Severity: normal > > Dear Maintainer, > after the recent OpenConnect update, now it correctly detect the > authgrouops available on a server that uses double SSO SAML > authentication (protocol anyconnect), but if I try connecting returns > the warning: > > $ openconnect --authgroup=mygroup myserver > > POST XML abilitato > Please complete the authentication process in the AnyConnect Login window. > No SSO handler > Failed to obtain WebVPN cookie > > If I include the "os" parameter in the command line (with: "linux", > "apple-ios" or "android"): > > $ openconnect --authgroup=mygroup --os=linux myserver > > the server goes into a LOOP by asking for username and password. > > If I indicate other OS, instead, I get the previous warning message. > > Thanks, > Antonio The SAML auth flow needs a web browser, so this is intended to be used together with network-manager-openconnect, where the GUI-side is implemented. Give that a shot, it was uploaded a couple of hours ago so it should be available soon. -- Kind regards, Luca Boccassi signature.asc Description: This is a digitally signed message part
Bug#1001555: openconnect: can't connect to server that use SSO SAML with protocol "anyconnect"
Package: openconnect Version: 8.10-3 Severity: normal Dear Maintainer, after the recent OpenConnect update, now it correctly detect the authgrouops available on a server that uses double SSO SAML authentication (protocol anyconnect), but if I try connecting returns the warning: $ openconnect --authgroup=mygroup myserver POST XML abilitato Please complete the authentication process in the AnyConnect Login window. No SSO handler Failed to obtain WebVPN cookie If I include the "os" parameter in the command line (with: "linux", "apple-ios" or "android"): $ openconnect --authgroup=mygroup --os=linux myserver the server goes into a LOOP by asking for username and password. If I indicate other OS, instead, I get the previous warning message. Thanks, Antonio -- System Information: Debian Release: bookworm/sid APT prefers unstable APT policy: (700, 'unstable'), (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable'), (100, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.15.7-custom (SMP w/16 CPU threads; PREEMPT) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to it_IT.UTF-8), LANGUAGE=it Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages openconnect depends on: ii libc6 2.32-5 ii libgnutls30 3.7.2-2 ii libopenconnect5 8.10-3 ii libproxy1v5 0.4.17-1 ii libxml2 2.9.12+dfsg-5+b1 ii vpnc-scripts 0.1~git20210402-1 Versions of packages openconnect recommends: ii python3 3.9.8-1 ii python3-asn1crypto 1.4.0-1 ii python3-mechanize 1:0.4.5-2 ii python3-netifaces 0.11.0-1+b1
