Re: Complicated web login flows with Pulse Secure VPN
On Sun, Nov 4, 2018 at 11:55 AM David Woodhouse wrote: > > Remind me of those please. As I prepare for the 8.0 release it would be > good to pull those in unless they're completely horrible hacks specific > to your setup. > The second patch I mentioned was a pretty bad hack (especially after discussing it with Daniei Lenski). Worked for me but definitely not the right solution. The issue is my work vpn used the same loginForm form ID for both password and stoken input. So there was no easy way to distinguish the two and I made an ugly hack that worked but results failed login attempts as it tries the token id as the password field. I'll re-send the stoken patch request and add you to the thread so you can see that one. > > It's been talked about, repeatedly :) > > The first step is to add a 'webview' callback method which the GUI > authentications can implement, which bypasses the current hackish HTML > screen-scraping. That much is relatively easy, in fact, but then we'd > need to do the WebKitGtk stuff inside the NetworkManager auth-dialog > for GNOME and KDE, etc. > > If there's a volunteer for the latter, I could certainly put together > the former. I'm just not that keen on throwing together the API change > for the webview callback without properly testing it. I'd definitely be interested, but I haven't done any C/C++ programming in nearly 2 decades now :) If I get some time on this I might try to dust off the rust and see how I can do with it, but I'm not counting on making any real headway at least not soon. If I get some serious time I'll let you know. Thanks for the info, Andy ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: Complicated web login flows with Pulse Secure VPN
On Tue, 2018-10-30 at 16:54 -0500, Andy Wang wrote: > I was, up until very recently, using openconnect and > NetworkManager-openconnect to connect to my work VPN. I had a private > hack to make the stoken stuff work (it was submitted in an email on > this list) as well as another hack to deal with our token form not > having the same expected form type. Remind me of those please. As I prepare for the 8.0 release it would be good to pull those in unless they're completely horrible hacks specific to your setup. > A couple of weeks ago we moved to a whole new login flow, where we now > are redirected to a saml login page for authentication and then > prompted to choose one of two types of MFA access - token code or > mobile application notification based. > > With the more complicated flow I've had to switch back to the pulse > secure client which embeds a webkitgtk UI to handle those flows. > > Just curious but is there anyone working on some similar flow support > with NetworkManager-openconnect? I'm guessing that this type of > authentication is way outside of the scope of openconnect's built in > html client. (Pulse Secure's cli client can't handle this login flow > either). It's been talked about, repeatedly :) The first step is to add a 'webview' callback method which the GUI authentications can implement, which bypasses the current hackish HTML screen-scraping. That much is relatively easy, in fact, but then we'd need to do the WebKitGtk stuff inside the NetworkManager auth-dialog for GNOME and KDE, etc. If there's a volunteer for the latter, I could certainly put together the former. I'm just not that keen on throwing together the API change for the webview callback without properly testing it. smime.p7s Description: S/MIME cryptographic signature ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Complicated web login flows with Pulse Secure VPN
I was, up until very recently, using openconnect and NetworkManager-openconnect to connect to my work VPN. I had a private hack to make the stoken stuff work (it was submitted in an email on this list) as well as another hack to deal with our token form not having the same expected form type. A couple of weeks ago we moved to a whole new login flow, where we now are redirected to a saml login page for authentication and then prompted to choose one of two types of MFA access - token code or mobile application notification based. With the more complicated flow I've had to switch back to the pulse secure client which embeds a webkitgtk UI to handle those flows. Just curious but is there anyone working on some similar flow support with NetworkManager-openconnect? I'm guessing that this type of authentication is way outside of the scope of openconnect's built in html client. (Pulse Secure's cli client can't handle this login flow either). Unfortunately I'm so removed from c/c++ programming that I wouldn't even know where to begin on something like this, but just wondering if there's anything on the horizon I can help with, even if it's just being able to test stuff. Thanks, ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel