"No SSO handler" with unexpected(?) SAML type
In trying to connect to a Cisco ASA VPN endpoint that wants SAML auth, openconnect exits with "No SSO handler".
I have debugged this to the point of discovering that neither vpninfo->sso_browser_mode
nor vpninfo->open_webview
is set. I have forced it to take the external browser mode path, and it takes me through my SSO authentication mechanism, but doesn't redirect to http://localhost:29786/, which makes it feel like it should be taking the open_webview
path, but it's NULL at the decision point (library.c:1714) and I can't figure out where it would be set.
This is on MacOS 13.6.4, openconnect installed via brew. (I was using a version I built myself to do some troubleshooting, but this report was generated using whatever brew installs by default.)
% openconnect https://CISCOASA/ --csd-wrapper=/usr/local/Cellar/openconnect/9.12/libexec/openconnect/csd-post.sh --authgroup=GROUPNAME --dump-http-traffic -vvv
POST https://CISCOASA/
Attempting to connect to server 10.11.12.13:443
Connected to 10.11.12.13:443
SSL negotiation with CISCOASA
Connected to HTTPS on CISCOASA with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA512)-(AES-256-GCM)
> POST / HTTP/1.1
> Host: CISCOASA
> User-Agent: Open AnyConnect VPN Agent v9.12-unknown
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-Version: 1
> X-Aggregate-Auth: 1
> X-Support-HTTP-Auth: true
> X-AnyConnect-STRAP-Pubkey: STRAPPUBKEY
> X-AnyConnect-STRAP-DH-Pubkey: STRAPDHPUBKEY
> X-Pad: 0000
> Content-Type: application/xml; charset=utf-8
> Content-Length: 380
>
> <?xml version="1.0" encoding="UTF-8"?>
> <config-auth client="vpn" type="init" aggregate-auth-version="2"><version who="vpn">v9.12-unknown</version><device-id>mac-intel</device-id><capabilities><auth-method>single-sign-on-v2</auth-method><auth-method>single-sign-on-external-browser</auth-method></capabilities><group-access>https://CISCOASA/</group-access></config-auth>
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-store
Pragma: no-cache
Connection: Keep-Alive
Date: Tue, 26 Mar 2024 20:09:04 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'
X-Aggregate-Auth: 1
HTTP body chunked (-2)
< <?xml version="1.0" encoding="UTF-8"?>
< <config-auth client="vpn" type="auth-request" aggregate-auth-version="2">
< <opaque is-for="sg">
< <tunnel-group>GROUPNAME_REAL</tunnel-group>
< <auth-method>single-sign-on-v2</auth-method>
< <group-alias>GROUPNAME</group-alias>
< <config-hash>CONFIGHASH</config-hash>
< </opaque>
< <auth id="main">
< <title>Login</title>
< <message>Please complete the authentication process in the AnyConnect Login window.</message>
< <banner></banner>
< <sso-v2-login>https://CISCOASA/+CSCOE+/saml/sp/login?tgname=GROUPNAME_REAL&acsamlcap=v2</sso-v2-login>
< <sso-v2-login-final>https://CISCOASA/+CSCOE+/saml_ac_login.html</sso-v2-login-final>
< <sso-v2-logout>https://CISCOASA/+CSCOE+/saml/sp/logout</sso-v2-logout>
< <sso-v2-logout-final>https://CISCOASA/+CSCOE+/saml_ac_login.html</sso-v2-logout-final>
< <sso-v2-token-cookie-name>acSamlv2Token</sso-v2-token-cookie-name>
< <sso-v2-error-cookie-name>acSamlv2Error</sso-v2-error-cookie-name>
< <form>
< <input type="sso" name="sso-token"></input>
< <select name="group_list" label="GROUP:">
< <option selected="true">GROUPNAME</option>
< <option>OTHERGROUP</option>
< </select>
< </form>
< </auth>
< <host-scan>
< <host-scan-ticket>HSTICKET</host-scan-ticket>
< <host-scan-token>HSTOKEN</host-scan-token>
< <host-scan-base-uri>/CACHE</host-scan-base-uri>
< <host-scan-wait-uri>/+CSCOE+/sdesktop/wait.html</host-scan-wait-uri>
< </host-scan>
< </config-auth>
XML POST enabled
Trying to run CSD Trojan script '/usr/local/Cellar/openconnect/9.12/libexec/openconnect/csd-post.sh'.
Unhandled hostscan field 'secinsp_5_2_2_8~Advanced Endpoint Assessment ver Win:5.2.2.8,Mac:5.2.2.8,Linux:5.2.2.8~'
<?xml version="1.0" encoding="UTF-8"?>
<hostscan><status>TOKEN_SUCCESS</status></hostscan>
CSD script '/usr/local/Cellar/openconnect/9.12/libexec/openconnect/csd-post.sh' completed successfully.
GET https://CISCOASA/+CSCOE+/sdesktop/wait.html
> GET /+CSCOE+/sdesktop/wait.html HTTP/1.1
> Host: CISCOASA
> User-Agent: Open AnyConnect VPN Agent v9.12-unknown
> Cookie: sdesktop=HSTOKEN
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-Version: 1
> X-Aggregate-Auth: 1
> X-Support-HTTP-Auth: true
> X-AnyConnect-STRAP-Pubkey: STRAPPUBKEY
> X-AnyConnect-STRAP-DH-Pubkey: STRAPDHPUBKEY
>
Got HTTP response: HTTP/1.1 302 Moved Temporarily
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-store
Pragma: no-cache
Connection: Close
Date: Tue, 26 Mar 2024 20:09:06 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'
Location: /
Set-Cookie: sdesktop=HSTOKEN; path=/; secure
HTTP body chunked (-2)
< <html>x</html>
POST https://CISCOASA/
SSL negotiation with CISCOASA
Connected to HTTPS on CISCOASA with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA512)-(AES-256-GCM)
> POST / HTTP/1.1
> Host: CISCOASA
> User-Agent: Open AnyConnect VPN Agent v9.12-unknown
> Cookie: sdesktop=HSTOKEN
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-Version: 1
> X-Aggregate-Auth: 1
> X-Support-HTTP-Auth: true
> X-AnyConnect-STRAP-Pubkey: STRAPPUBKEY
> X-AnyConnect-STRAP-DH-Pubkey: STRAPDHPUBKEY
> X-Pad: 0000
> Content-Type: application/xml; charset=utf-8
> Content-Length: 380
>
> <?xml version="1.0" encoding="UTF-8"?>
> <config-auth client="vpn" type="init" aggregate-auth-version="2"><version who="vpn">v9.12-unknown</version><device-id>mac-intel</device-id><capabilities><auth-method>single-sign-on-v2</auth-method><auth-method>single-sign-on-external-browser</auth-method></capabilities><group-access>https://CISCOASA/</group-access></config-auth>
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-store
Pragma: no-cache
Connection: Keep-Alive
Date: Tue, 26 Mar 2024 20:09:06 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'
X-Aggregate-Auth: 1
HTTP body chunked (-2)
< <?xml version="1.0" encoding="UTF-8"?>
< <config-auth client="vpn" type="auth-request" aggregate-auth-version="2">
< <opaque is-for="sg">
< <tunnel-group>GROUPNAME_REAL</tunnel-group>
< <auth-method>single-sign-on-v2</auth-method>
< <group-alias>GROUPNAME</group-alias>
< <config-hash>CONFIGHASH</config-hash>
< </opaque>
< <auth id="main">
< <title>Login</title>
< <message>Please complete the authentication process in the AnyConnect Login window.</message>
< <banner></banner>
< <sso-v2-login>https://CISCOASA/+CSCOE+/saml/sp/login?tgname=GROUPNAME_REAL&acsamlcap=v2</sso-v2-login>
< <sso-v2-login-final>https://CISCOASA/+CSCOE+/saml_ac_login.html</sso-v2-login-final>
< <sso-v2-logout>https://CISCOASA/+CSCOE+/saml/sp/logout</sso-v2-logout>
< <sso-v2-logout-final>https://CISCOASA/+CSCOE+/saml_ac_login.html</sso-v2-logout-final>
< <sso-v2-token-cookie-name>acSamlv2Token</sso-v2-token-cookie-name>
< <sso-v2-error-cookie-name>acSamlv2Error</sso-v2-error-cookie-name>
< <form>
< <input type="sso" name="sso-token"></input>
< <select name="group_list" label="GROUP:">
< <option selected="true">GROUPNAME</option>
< <option>OTHERGROUP</option>
< </select>
< </form>
< </auth>
< <host-scan>
< <host-scan-ticket>HSTICKET2</host-scan-ticket>
< <host-scan-token>HSTOKEN2</host-scan-token>
< <host-scan-base-uri>/CACHE</host-scan-base-uri>
< <host-scan-wait-uri>/+CSCOE+/sdesktop/wait.html</host-scan-wait-uri>
< </host-scan>
< </config-auth>
Please complete the authentication process in the AnyConnect Login window.
No SSO handler
Failed to complete authentication