OpenConnect SSO Issue - KDE - Plasma 5
I downloaded and installed the latest version of OpenConnect, 9.0.1, which, according to the changelog should support SSO, quoting "Add support for AnyConnect "external browser" SSO mode (!354 (merged))." since version 9.0.0 released the same day.
When I try to connect, I receive the following message:
XML POST enabled
Please complete the authentication process in the AnyConnect Login window.
No SSO handler
Failed to complete authentication
I ran openconnect with the -vvv --dump switches to find more information:
sudo openconnect -vvv --dump --protocol=anyconnect --server=https://server.domain.com/ --user=my.user@domain.com
POST https://server.domain.com/
Attempting to connect to server 1.2.3.4:443
Connected to 1.2.3.4:443
SSL negotiation with server.domain.com
Connected to HTTPS on server.domain.com with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA512)-(AES-256-GCM)
> POST / HTTP/1.1
> Host: server.domain.com
> User-Agent: Open AnyConnect VPN Agent v9.01
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-Version: 1
> X-Aggregate-Auth: 1
> X-Support-HTTP-Auth: true
> X-AnyConnect-STRAP-Pubkey: <PublicKeyStringHere>
> X-AnyConnect-STRAP-DH-Pubkey: <AnotherPublicKeyStringHere>
> X-Pad: 000000000000000000000000000000000000000
> Content-Type: application/xml; charset=utf-8
> Content-Length: 409
>
> <?xml version="1.0" encoding="UTF-8"?>
> <config-auth client="vpn" type="init" aggregate-auth-version="2"><version who="vpn">v9.01</version><device-id>linux-64</device-id><capabilities><auth-method>single-sign-on</auth-method><auth-method>single-sign-on-v2</auth-method><auth-method>single-sign-on-external-browser</auth-method></capabilities><group-access>https://server.domain.com/</group-access></config-auth>
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-store
Pragma: no-cache
Connection: Keep-Alive
Date: Sun, 08 May 2022 02:37:31 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'
X-Aggregate-Auth: 1
HTTP body chunked (-2)
< <?xml version="1.0" encoding="UTF-8"?>
< <config-auth client="vpn" type="auth-request" aggregate-auth-version="2">
< <opaque is-for="sg">
< <tunnel-group>DefaultWEBVPNGroup</tunnel-group>
< <auth-method>single-sign-on-v2</auth-method>
< <config-hash><HashGoesHere></config-hash>
< </opaque>
< <auth id="main">
< <message>Please complete the authentication process in the AnyConnect Login window.</message>
< <sso-v2-login>https://same.domain.com/+CSCOE+/saml/sp/login?tgname=DefaultWEBVPNGroup&acsamlcap=v2</sso-v2-login>
< <sso-v2-login-final>https://same.domain.com/+CSCOE+/saml_ac_login.html</sso-v2-login-final>
< <sso-v2-logout>https://same.domain.com/+CSCOE+/saml/sp/logout</sso-v2-logout>
< <sso-v2-logout-final>https://same.domain.com/+CSCOE+/saml_ac_login.html</sso-v2-logout-final>
< <sso-v2-token-cookie-name>acSamlv2Token</sso-v2-token-cookie-name>
< <sso-v2-error-cookie-name>acSamlv2Error</sso-v2-error-cookie-name>
< <form>
< <input type="sso" name="sso-token"></input>
< </form>
< </auth>
< </config-auth>
XML POST enabled
Please complete the authentication process in the AnyConnect Login window.
No SSO handler
Failed to complete authentication
I have replaced my VPN endpoint with server.domain.com and its IP address with 1.2.3.4 for security
If I use openconnect-sso (https://github.com/vlaci/openconnect-sso) I do receive a pop up window where I can enter my credentials and DUO authentication tap. I created a script to run openconnect-sso which has this content:
#!/bin/bash
# https://github.com/vlaci/openconnect-sso/issues/69
export QTWEBENGINE\_CHROMIUM\_FLAGS="--no-sandbox"
konsole -e openconnect-sso --server server.domain.com
Should the new version of OpenConnect replace openconnect-sso or should I continue using openconnect-sso for my VPN connection?