Cisco external-auth and STRAP key refinements
Don't offer single-sign-on-external-browser auth-method unless we actually have the possibility to open an external browser (just as we don't offer multiple-cert unless the user has specified a second cert).
Sending STRAP keys appears to restrict the ability to reuse the webvpn cookie on other cookies of the same VPN, as discussed on 8bacc334 (comment 942004949)
Therefore we should avoid generating and offering STRAP keys unless.
-
We are doing authentication and may potentially use external-browser-auth, which requires the STRAP keys, or
-
We already have STRAP keys from the authentication stage, in which case we have to continue sending them for verification along with the webvpn cookie, in order to prevent the server from rejecting it. (See #410 (closed))