This is a helper script to allow you to interactively login to a GlobalProtect VPN that uses SAML authentication, so that you can subsequently connect with OpenConnect. (The GlobalProtect protocol is supported in OpenConnect v8.0 or newer; v8.06+ is recommended.)
Interactive login is, unfortunately, sometimes a necessary alternative to automated login via scripts such as zdave/openconnect-gp-okta.
This script is known to work with many GlobalProtect VPNs using the major single-sign-on (SSO) providers:
- Okta (sign-in URLs typically
https://<company>.okta.com/login/*
) - Microsoft (sign-in URLs typically
https://login.microsoftonline.com/*
)
Please search and file issues if you can report success or failure with other SSO SAML providers.
gp-saml-gui uses GTK, which requires Python 3 bindings.
On Debian / Ubuntu, these are packaged as python3-gi
, gir1.2-gtk-3.0
, and
gir1.2-webkit2-4.0
:
$ sudo apt install python3-gi gir1.2-gtk-3.0 gir1.2-webkit2-4.0
On Fedora (and possibly RHEL/CentOS) the matching libraries are packaged in
python3-gobject
, gtk3-devel
, and webkit2gtk3-devel
:
$ sudo dnf install python3-gobject gtk3-devel webkit2gtk3-devel
On Arch Linux, the libraries are packaged in gtk3
, gobject-introspection
and webkit2gtk
:
$ sudo pacman -S gtk3 gobject-introspection webkit2gtk
Install gp-saml-gui itself using pip
:
$ pip3 install https://github.com/dlenski/gp-saml-gui/archive/master.zip
...
$ gp-saml-gui
usage: gp-saml-gui [-h] [--no-verify] [-C COOKIES | -K] [-p | -g] [-c CERT]
[--key KEY] [-v | -q] [-x | -P | -S] [-u]
[--clientos {Windows,Linux,Mac}] [-f EXTRA]
server [openconnect_extra [openconnect_extra ...]]
gp-saml-gui: error: the following arguments are required: server, openconnect_extra
Specify the GlobalProtect server URL (portal or gateway) and optional
arguments, such as --clientos=Windows
(because many GlobalProtect
servers don't require SAML login, but apparently omit it in their configuration
for OSes other than Windows).
This script will pop up a GTK WebKit2 WebView window
alongside your terminal window (see this screenshot).
After you succesfully complete the SAML login via web forms, the script will output
HOST
, USER
, COOKIE
, and OS
variables in a form that can be used by
OpenConnect
(similar to the output of openconnect --authenticate
):
$ eval $( gp-saml-gui --gateway --clientos=Windows vpn.company.com )
Got SAML POST content, opening browser...
Finished loading about:blank...
Finished loading https://company.okta.com/app/panw_globalprotect/deadbeefFOOBARba1234/sso/saml...
Finished loading https://company.okta.com/login/sessionCookieRedirect...
Finished loading https://vpn.qorvo.com/SAML20/SP/ACS...
Got SAML relevant headers, done: {'prelogin-cookie': 'blahblahblah', 'saml-username': 'foo12345@corp.company.com', 'saml-slo': 'no', 'saml-auth-status': '1'}
SAML response converted to OpenConnect command line invocation:
echo 'blahblahblah' |
openconnect --protocol=gp --user='foo12345@corp.company.com' --os=win --usergroup=prelogin-cookie:gateway --passwd-on-stdin vpn.company.com
$ echo $HOST; echo $USER; echo $COOKIE; echo $OS
https://vpn.company.com/gateway:prelogin-cookie
foo12345@corp.company.com
blahblahblah
win
$ echo "$COOKIE" | openconnect --protocol=gp -u "$USER" --os="$OS" --passwd-on-stdin "$HOST"
If you specify either the -P
/--pkexec-openconnect
or -S
/--sudo-openconnect
options, the script
will automatically invoke OpenConnect as described, using either pkexec
from Polkit
or sudo
, as specified. Extra arguments needed for OpenConnect can be specified by adding --
to the command line, and then
appending these. For example:
$ gp-saml-gui -P --gateway --clientos=Windows vpn.company.com -- --csd-wrapper=hip-report.sh
…
Launching OpenConnect with pkexec, equivalent to:
echo blahblahblahlongrandomcookievalue |
sudo openconnect --protocol=gp --user=foo12345@corp.company.com --os=win --usergroup=gateway:prelogin-cookie --passwd-on-stdin vpn.company.com
<pkexec authentication dialog pops up>
<openconnect runs>
GPLv3 or newer