dlenski/gp-saml-gui dlenski/gp-saml-gui

  • Stars
    star
    291
  • Rank 142,047 (Top 3 %)
  • Language
    Python
  • License
    GNU General Publi...
  • Created about 5 years ago
  • Updated 3 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
dlenski/gp-saml-gui
github

dlenski

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Interactively authenticate to GlobalProtect VPNs that require SAML

gp-saml-gui

Test Workflow Status

Table of Contents

Introduction

This is a helper script to allow you to interactively login to a GlobalProtect VPN that uses SAML authentication, so that you can subsequently connect with OpenConnect. (The GlobalProtect protocol is supported in OpenConnect v8.0 or newer; v8.06+ is recommended.)

Interactive login is, unfortunately, sometimes a necessary alternative to automated login via scripts such as zdave/openconnect-gp-okta.

This script is known to work with many GlobalProtect VPNs using the major single-sign-on (SSO) providers:

  • Okta (sign-in URLs typically https://<company>.okta.com/login/*)
  • Microsoft (sign-in URLs typically https://login.microsoftonline.com/*)

Please search and file issues if you can report success or failure with other SSO SAML providers.

Installation

First, non-Python Dependencies

gp-saml-gui uses GTK, which requires Python 3 bindings.

On Debian / Ubuntu, these are packaged as python3-gi, gir1.2-gtk-3.0, and gir1.2-webkit2-4.0:

$ sudo apt install python3-gi gir1.2-gtk-3.0 gir1.2-webkit2-4.0

On Fedora (and possibly RHEL/CentOS) the matching libraries are packaged in python3-gobject, gtk3-devel, and webkit2gtk3-devel:

$ sudo dnf install python3-gobject gtk3-devel webkit2gtk3-devel

On Arch Linux, the libraries are packaged in gtk3, gobject-introspection and webkit2gtk:

$ sudo pacman -S gtk3 gobject-introspection webkit2gtk

Second, gp-saml-gui itself

Install gp-saml-gui itself using pip:

$ pip3 install https://github.com/dlenski/gp-saml-gui/archive/master.zip
...
$ gp-saml-gui
usage: gp-saml-gui [-h] [--no-verify] [-C COOKIES | -K] [-p | -g] [-c CERT]
                   [--key KEY] [-v | -q] [-x | -P | -S] [-u]
                   [--clientos {Windows,Linux,Mac}] [-f EXTRA]
                   server [openconnect_extra [openconnect_extra ...]]
gp-saml-gui: error: the following arguments are required: server, openconnect_extra

How to use

Specify the GlobalProtect server URL (portal or gateway) and optional arguments, such as --clientos=Windows (because many GlobalProtect servers don't require SAML login, but apparently omit it in their configuration for OSes other than Windows).

This script will pop up a GTK WebKit2 WebView window alongside your terminal window (see this screenshot). After you successfully complete the SAML login via web forms, the script will output HOST, USER, COOKIE, and OS variables in a form that can be used by OpenConnect (similar to the output of openconnect --authenticate):

$ eval $( gp-saml-gui --gateway --clientos=Windows vpn.company.com )
Got SAML POST content, opening browser...
Finished loading about:blank...
Finished loading https://company.okta.com/app/panw_globalprotect/deadbeefFOOBARba1234/sso/saml...
Finished loading https://company.okta.com/login/sessionCookieRedirect...
Finished loading https://vpn.qorvo.com/SAML20/SP/ACS...
Got SAML relevant headers, done: {'prelogin-cookie': 'blahblahblah', 'saml-username': '[email protected]', 'saml-slo': 'no', 'saml-auth-status': '1'}

SAML response converted to OpenConnect command line invocation:

    echo 'blahblahblah' |
        openconnect --protocol=gp --user='[email protected]' --os=win --usergroup=gateway:prelogin-cookie --passwd-on-stdin vpn.company.com

$ echo $HOST; echo $USER; echo $COOKIE; echo $OS
https://vpn.company.com/gateway:prelogin-cookie
[email protected]
blahblahblah
win

$ echo "$COOKIE" | openconnect --protocol=gp -u "$USER" --os="$OS" --passwd-on-stdin "$HOST"

If you specify either the -P/--pkexec-openconnect or -S/--sudo-openconnect options, the script will automatically invoke OpenConnect as described, using either pkexec from Polkit or sudo, as specified.

Extra Arguments to OpenConnect

Extra arguments needed for OpenConnect can be specified by adding -- to the command line, and then appending these. For example:

$ gp-saml-gui -P --gateway --clientos=Windows vpn.company.com -- --csd-wrapper=hip-report.sh
โ€ฆ
Launching OpenConnect with pkexec, equivalent to:
    echo blahblahblahlongrandomcookievalue |
        sudo openconnect --protocol=gp [email protected] --os=win --usergroup=gateway:prelogin-cookie --passwd-on-stdin vpn.company.com
<pkexec authentication dialog pops up>
<openconnect runs>

License

GPLv3 or newer

More Repositories

1

vpn-slice

vpnc-script replacement for easy and secure split-tunnel VPN setup
Python
718
star
2

openconnect

OpenConnect client extended to support Palo Alto Networks' GlobalProtect VPN
676
star
3

tetherback

Create backups of an Android device over USB (requires adb and TWRP recovery)
Python
156
star
4

python-zxing

python wrapper for the ZXing barcode library
Python
121
star
5

wtf

Whitespace Total Fixer
Python
98
star
6

motoflash2sh

Convert Motorola flashfile.xml to fastboot shell script
Python
82
star
7

what-vpn

Identify servers running various SSL VPNs based on protocol-specific behaviors
Python
76
star
8

ttblue

Bluetooth LE app for TomTom GPS watches: Runner, MultiSport, Cardio, Spark, Runner v2
C
60
star
9

rsa_ct_kip

Provision an RSA SecurID token with RSA's CT-KIP protocol
Python
42
star
10

stravacli

Command-line client for Strava
Python
24
star
11

travis-encrypt-sh

Pure-bash script to encrypt values for use in Travis-CI build scripts.
Shell
20
star
12

PySIMG

Pure-Python tools for handling Android fastboot's sparse image format
Python
19
star
13

network-manager-openconnect

C
19
star
14

freecarrierlookup

Lookup phone numbersโ€™ carriers by screen-scraping FreeCarrierLookup.com
Python
15
star
15

top500

Scrape+plot TOP500 data for Wikipedia graphs
Python
11
star
16

ttbindec

Python decoder for .ttbin files from TomTom GPS watch
Python
8
star
17

python-mOTP

Command-line client for generating Mobile-OTP / mOTP codes
Python
7
star
18

wifi2qr

A simple script to share your computer's WiFi connection via QR code
Shell
7
star
19

lexeme

CLI to play a word-guessing game like Wordle (https://www.powerlanguage.co.uk/wordle)
C
6
star
20

smxlogin

Automatically login to a VPN that uses a SecureMatrix "password image pattern"
Python
4
star
21

sendip

C
3
star
22

c-curry

How to make a curried/partial function in C
C
3
star
23

crystalhd

Broadcom Crystal HD Hardware Decoder (BCM70012/70015) driver on Ubuntu
C
2
star
24

juniper-vpn-py

Python Juniper VPN Authenticator
2
star
25

github-lockify

Simple CLI tool for locking GitHub issues en masse.
Python
1
star
26

solvpscli

manage SolVPS virtual private servers from the command line
Python
1
star
27

what-cloud

Identify servers running in various public clouds
Python
1
star