/openconnect-sso

Wrapper script for OpenConnect supporting Azure AD (SAMLv2) authentication to Cisco SSL-VPNs

Primary LanguagePythonGNU General Public License v3.0GPL-3.0

openconnect-sso

Wrapper script for OpenConnect supporting Azure AD (SAMLv2) authentication to Cisco SSL-VPNs

Tests Status

Installation

Using pip/pipx

A generic way that works on most 'standard' Linux distributions out of the box. The following example shows how to install openconect-sso along with its dependencies including Qt:

$ pip install --user pipx
Successfully installed pipx
$ pipx install "openconnect-sso[full]"
⣾ installing openconnect-sso
  installed package openconnect-sso 0.4.0, Python 3.7.5
  These apps are now globally available
    - openconnect-sso
⚠️  Note: '/home/vlaci/.local/bin' is not on your PATH environment variable.
These apps will not be globally accessible until your PATH is updated. Run
`pipx ensurepath` to automatically add it, or manually modify your PATH in your
shell's config file (i.e. ~/.bashrc).
done! ✨ 🌟 ✨
Successfully installed openconnect-sso
$ pipx ensurepath
Success! Added /home/vlaci/.local/bin to the PATH environment variable.
Consider adding shell completions for pipx. Run 'pipx completions' for
instructions.

You likely need to open a new terminal or re-login for the changes to take
effect. ✨ 🌟 ✨

Of course you can also install via pip instead of pipx if you'd like to install system-wide or a virtualenv of your choice.

On Arch Linux

There is an unofficial package available for Arch Linux on AUR. You can use your favorite AUR helper to install it:

yay -S openconnect-sso

Using nix

The easiest method to try is by installing directly:

$ nix-env -i -f https://github.com/vlaci/openconnect-sso/archive/master.tar.gz
unpacking 'https://github.com/vlaci/openconnect-sso/archive/master.tar.gz'...
[...]
installing 'openconnect-sso-0.4.0'
these derivations will be built:
  /nix/store/2z47740z1rr2cfqfin5lnq04sq3c5xjg-openconnect-sso-0.4.0.drv
[...]
building '/nix/store/50q496iqf840wi8b95cfmgn07k6y5b59-user-environment.drv'...
created 606 symlinks in user environment
$ openconnect-sso

An overlay is also available to use in nix expressions:

let
  openconnectOverlay = import "${builtins.fetchTarball https://github.com/vlaci/openconnect-sso/archive/master.tar.gz}/overlay.nix";
  pkgs = import <nixpkgs> { overlays = [ openconnectOverlay ]; };
in
  #  pkgs.openconnect-sso is available in this context

... or to use in configuration.nix:

{ config, ... }:

{
  nixpkgs.overlays = [
    (import "${builtins.fetchTarball https://github.com/vlaci/openconnect-sso/archive/master.tar.gz}/overlay.nix")
  ];
}

Windows (EXPERIMENTAL)

Install with pip/pipx and be sure that you have sudo and openconnect executable commands in your PATH.

Usage

If you want to save credentials and get them automatically injected in the web browser:

$ openconnect-sso --server vpn.server.com/group --user user@domain.com
Password (user@domain.com):
[info     ] Authenticating to VPN endpoint ...

User credentials are automatically saved to the users login keyring (if available).

If you already have Cisco AnyConnect set-up, then --server argument is optional. Also, the last used --server address is saved between sessions so there is no need to always type in the same arguments:

$ openconnect-sso
[info     ] Authenticating to VPN endpoint ...

Configuration is saved in $XDG_CONFIG_HOME/openconnect-sso/config.toml. On typical Linux installations it is located under $HOME/.config/openconnect-sso/config.toml

For CISCO-VPN and TOTP the following seems to work by tuning the config.toml and removing the default "submit"-action to the following:

[[auto_fill_rules."https://*"]]
selector = "input[data-report-event=Signin_Submit]"
action = "click"

[[auto_fill_rules."https://*"]]
selector = "input[type=tel]"
fill = "totp"

Adding custom openconnect arguments

Sometimes you need to add custom openconnect arguments. One situation can be if you get similar error messages:

Failed to read from SSL socket: The transmitted packet is too large (EMSGSIZE).
Failed to recv DPD request (-5)

or:

Detected MTU of 1370 bytes (was 1406)

Generally, you can add openconnect arguments after the -- separator. This is called "positional arguments". The solution of the previous errors is setting --base-mtu e.g.:

openconnect-sso --server vpn.server.com/group --user user@domain.com -- --base-mtu=1370
#                                                          separator ^^|^^^^^^^^^^^^^^^ openconnect args

Development

openconnect-sso is developed using Nix. Refer to the Quick Start section of the Nix manual to see how to get it installed on your machine.

To get dropped into a development environment, just type nix-shell:

$ nix-shell
Sourcing python-catch-conflicts-hook.sh
Sourcing python-remove-bin-bytecode-hook.sh
Sourcing pip-build-hook
Using pipBuildPhase
Sourcing pip-install-hook
Using pipInstallPhase
Sourcing python-imports-check-hook.sh
Using pythonImportsCheckPhase
Run 'make help' for available commands

[nix-shell]$

To try an installed version of the package, issue nix-build:

$ nix build
[1 built, 0.0 MiB DL]

$ result/bin/openconnect-sso --help

Alternatively you may just get Poetry and start developing by using the included Makefile. Type make help to see the possible make targets.