On Thu, Jul 21, 2022 at 3:04 AM Iseli Christian <christian.is...@epfl.ch> wrote: > The university of Lausanne recently introduced 2-factor authentication for > its VPN, and since then my working openconnect setup is failing with this > error : > > Unknown form (name 'form1', id '(null)') > Dumping unknown HTML form: > <form name="form1" action="/idp/profile/SAML2/Redirect/SSO?execution=e1s1" > method="post"> > <input name="shib_idp_ls_exception.shib_idp_session_ss" type="hidden"> > <input name="shib_idp_ls_success.shib_idp_session_ss" type="hidden" > value="false"> > <input name="shib_idp_ls_value.shib_idp_session_ss" type="hidden"> > <input name="shib_idp_ls_exception.shib_idp_persistent_ss" > type="hidden"> > <input name="shib_idp_ls_success.shib_idp_persistent_ss" > type="hidden" value="false"> > <input name="shib_idp_ls_value.shib_idp_persistent_ss" type="hidden"> > <input name="shib_idp_ls_supported" type="hidden"> > <input name="_eventId_proceed" type="hidden"> > <noscript> > <input type="submit" value="Continue"> > </noscript> > </form>Failed to complete authentication > > The authentication seems to now be "provided" through the eduid > infrastructure of switch.ch through a shibboleth framework, if that rings a > bell to anyone... > > Should I just try to add a recognition for this form in the code and see what > happens ? > > Thanks for your help, and kind regards, > Christian
Hi Christian, Which OpenConnect *protocol* are you using here? Juniper (--protocol=nc) or F5 (--protocol=f5) or Fortinet (--protocol=fortinet) are the ones that support HTML-based authentication, so most likely one of those. Also, which version of the OpenConnect client? (openconnect --version) If it's Juniper, then we've added some very rudimentary support for SSO/SAML in recent releases, but I'll wait to hear more details. It does appear that this is a form which could be automatically bypassed, given that it contains only hidden fields, unless there's some modification via a JavaScript-based layer that we're not seeing in your log. Dan ps- Perhaps worth opening an issue at https://gitlab.com/openconnect/openconnect/issues. The mailing list is not very active anymore, as you've seen. _______________________________________________ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
