dlenski/gp-saml-gui dlenski/gp-saml-gui

  • Stars
    star
    291
  • Rank 142,563 (Top 3 %)
  • Language
    Python
  • License
    GNU General Publi...
  • Created about 5 years ago
  • Updated 4 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
dlenski/gp-saml-gui
github

dlenski

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Interactively authenticate to GlobalProtect VPNs that require SAML

gp-saml-gui

Test Workflow Status

Table of Contents

Introduction

This is a helper script to allow you to interactively login to a GlobalProtect VPN that uses SAML authentication, so that you can subsequently connect with OpenConnect. (The GlobalProtect protocol is supported in OpenConnect v8.0 or newer; v8.06+ is recommended.)

Interactive login is, unfortunately, sometimes a necessary alternative to automated login via scripts such as zdave/openconnect-gp-okta.

This script is known to work with many GlobalProtect VPNs using the major single-sign-on (SSO) providers:

  • Okta (sign-in URLs typically https://<company>.okta.com/login/*)
  • Microsoft (sign-in URLs typically https://login.microsoftonline.com/*)

Please search and file issues if you can report success or failure with other SSO SAML providers.

Installation

First, non-Python Dependencies

gp-saml-gui uses GTK, which requires Python 3 bindings.

On Debian / Ubuntu, these are packaged as python3-gi, gir1.2-gtk-3.0, and gir1.2-webkit2-4.0:

$ sudo apt install python3-gi gir1.2-gtk-3.0 gir1.2-webkit2-4.0

On Fedora (and possibly RHEL/CentOS) the matching libraries are packaged in python3-gobject, gtk3-devel, and webkit2gtk3-devel:

$ sudo dnf install python3-gobject gtk3-devel webkit2gtk3-devel

On Arch Linux, the libraries are packaged in gtk3, gobject-introspection and webkit2gtk:

$ sudo pacman -S gtk3 gobject-introspection webkit2gtk

Second, gp-saml-gui itself

Install gp-saml-gui itself using pip:

$ pip3 install https://github.com/dlenski/gp-saml-gui/archive/master.zip
...
$ gp-saml-gui
usage: gp-saml-gui [-h] [--no-verify] [-C COOKIES | -K] [-p | -g] [-c CERT]
                   [--key KEY] [-v | -q] [-x | -P | -S] [-u]
                   [--clientos {Windows,Linux,Mac}] [-f EXTRA]
                   server [openconnect_extra [openconnect_extra ...]]
gp-saml-gui: error: the following arguments are required: server, openconnect_extra

How to use

Specify the GlobalProtect server URL (portal or gateway) and optional arguments, such as --clientos=Windows (because many GlobalProtect servers don't require SAML login, but apparently omit it in their configuration for OSes other than Windows).

This script will pop up a GTK WebKit2 WebView window alongside your terminal window (see this screenshot). After you successfully complete the SAML login via web forms, the script will output HOST, USER, COOKIE, and OS variables in a form that can be used by OpenConnect (similar to the output of openconnect --authenticate):

$ eval $( gp-saml-gui --gateway --clientos=Windows vpn.company.com )
Got SAML POST content, opening browser...
Finished loading about:blank...
Finished loading https://company.okta.com/app/panw_globalprotect/deadbeefFOOBARba1234/sso/saml...
Finished loading https://company.okta.com/login/sessionCookieRedirect...
Finished loading https://vpn.qorvo.com/SAML20/SP/ACS...
Got SAML relevant headers, done: {'prelogin-cookie': 'blahblahblah', 'saml-username': '[email protected]', 'saml-slo': 'no', 'saml-auth-status': '1'}

SAML response converted to OpenConnect command line invocation:

    echo 'blahblahblah' |
        openconnect --protocol=gp --user='[email protected]' --os=win --usergroup=gateway:prelogin-cookie --passwd-on-stdin vpn.company.com

$ echo $HOST; echo $USER; echo $COOKIE; echo $OS
https://vpn.company.com/gateway:prelogin-cookie
[email protected]
blahblahblah
win

$ echo "$COOKIE" | openconnect --protocol=gp -u "$USER" --os="$OS" --passwd-on-stdin "$HOST"

If you specify either the -P/--pkexec-openconnect or -S/--sudo-openconnect options, the script will automatically invoke OpenConnect as described, using either pkexec from Polkit or sudo, as specified.

Extra Arguments to OpenConnect

Extra arguments needed for OpenConnect can be specified by adding -- to the command line, and then appending these. For example:

$ gp-saml-gui -P --gateway --clientos=Windows vpn.company.com -- --csd-wrapper=hip-report.sh
…
Launching OpenConnect with pkexec, equivalent to:
    echo blahblahblahlongrandomcookievalue |
        sudo openconnect --protocol=gp [email protected] --os=win --usergroup=gateway:prelogin-cookie --passwd-on-stdin vpn.company.com
<pkexec authentication dialog pops up>
<openconnect runs>

License

GPLv3 or newer

More Repositories

1

vpn-slice

vpnc-script replacement for easy and secure split-tunnel VPN setup
Python
718
star
2

openconnect

OpenConnect client extended to support Palo Alto Networks' GlobalProtect VPN
676
star
3

tetherback

Create backups of an Android device over USB (requires adb and TWRP recovery)
Python
156
star
4

wtf

Whitespace Total Fixer
Python
98
star
5

motoflash2sh

Convert Motorola flashfile.xml to fastboot shell script
Python
82
star
6

what-vpn

Identify servers running various SSL VPNs based on protocol-specific behaviors
Python
76
star
7

ttblue

Bluetooth LE app for TomTom GPS watches: Runner, MultiSport, Cardio, Spark, Runner v2
C
60
star
8

rsa_ct_kip

Provision an RSA SecurID token with RSA's CT-KIP protocol
Python
42
star
9

stravacli

Command-line client for Strava
Python
24
star
10

travis-encrypt-sh

Pure-bash script to encrypt values for use in Travis-CI build scripts.
Shell
20
star
11

PySIMG

Pure-Python tools for handling Android fastboot's sparse image format
Python
19
star
12

network-manager-openconnect

C
19
star
13

freecarrierlookup

Lookup phone numbers’ carriers by screen-scraping FreeCarrierLookup.com
Python
15
star
14

top500

Scrape+plot TOP500 data for Wikipedia graphs
Python
11
star
15

ttbindec

Python decoder for .ttbin files from TomTom GPS watch
Python
8
star
16

python-mOTP

Command-line client for generating Mobile-OTP / mOTP codes
Python
7
star
17

wifi2qr

A simple script to share your computer's WiFi connection via QR code
Shell
7
star
18

lexeme

CLI to play a word-guessing game like Wordle (https://www.powerlanguage.co.uk/wordle)
C
6
star
19

smxlogin

Automatically login to a VPN that uses a SecureMatrix "password image pattern"
Python
4
star
20

sendip

C
3
star
21

c-curry

How to make a curried/partial function in C
C
3
star
22

github-lockify

Simple CLI tool for locking GitHub issues en masse.
Python
1
star
23

solvpscli

manage SolVPS virtual private servers from the command line
Python
1
star
24

what-cloud

Identify servers running in various public clouds
Python
1
star