Initialize 'vpninfo->authgroup' to allow 'xmlpost_initial_req' to set '<group-select>'
I was having trouble connecting to an AnyConnect gateway with external browser authentication.
Even when passing --authgroup, the returned SAML authentication link referenced the wrong group. I was able to work around this for a while by replacing the group name in the SAML link with the correct one before invoking the browser.
Recently, this hack stopped working: after successful authentication and redirect back, the gateway returns <error id="109">Single sign-on AnyConnect token verification failure.</error> and restarts the SAML authentication (looping). I assume there was an update on the gateway that leads to a different behaviour.
I then compared the requests of AnyConnect vs openconnect, and noticed that AnyConnect sets <group-select> in the initial POST, whereas openconnect doesn't. The XML returned to openconnect then references the default group in <tunnel-group>, <group-alias> and in the URI <sso-v2-login>, which is incorrect.
Although there is code to set <tunnel-group> here, at this point vpninfo->authgroup is null for me. It seems to be set only in a later stage, after the initial POST. I might have missed something, but by setting it directly after option parsing the initial request gets the correct <group-select> set, and I'm able to finish the external browser auth and get my cookies.
The invocation I used for testing is: openconnect "$SERVER" --servercert "pin-sha256:$CERT" --protocol anyconnect --user "$USER" --csd-wrapper /dev/null --os linux-64 --useragent="AnyConnect Linux_64 4.10.06090" --version-string "4.10.06090" -vvv --dump-http-traffic --cookieonly --external-browser="$PWD"/browser.sh --authgroup "$AUTHGROUP".
I'm attaching two log files, without and with my patch, showing the exchange up until opening the external browser. With the patched version I was then able to finish the external auth and acquire the cookie.
The pipeline failed to run some tests, but without looking deeper they seem to be environment-related and not related to the change.