-
Notifications
You must be signed in to change notification settings - Fork 129
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Openconnect support with CAS and SAML? #118
Comments
CAS = https://en.wikipedia.org/wiki/Central_Authentication_Service…? I am the main developer of the GlobalProtect support, but have no access to a GP VPN that uses SAML myself.
|
Hmm, weird. This cookie does not show up on the auth flow, at least not when I try to login from the browser (only PHPSESSID shows up). It should show up on the SAML responses? Or in the request headers? I tried to intercept the requests on my GP client but I can't use mitmproxy certificate with it. |
Ignore the
See #120 for some tips on getting GP to accept MITMproxy'ed certs. |
@dlenski nice, I got to intercept it by only using the I finally understand where the cookie is – when I make a request to Imitating @arthepsy, I made a Python script (a very ugly one, sorry) for that. Thanks for the help @dlenski |
Ah, yes… mitmproxy itself has to be coaxed into making insecure requests.
Very nice. And once you're done, you can simply connect with It'd be awesome to have you SAML users join forces and create one script that handles all the posisble use cases and outputs an HOST='10.2.3.4/gateway:prelogin-cookie'
FINGERPRINT='sha1:deadbeefdeadbeefdeadbeef012345678'
SECRET='blahblahblahblahblahblah' Then everyone can just do ——— Please test the new 👉 $ openconnect --prot=gp fakeserver
SAML login is required: http://lolcats.com/login/vpn
OH HAI I CAN HAZ CRUDENSHULS?
Usernomnomnom: nobody
Paßwört: ****** <prelogin-response>
<status>Success</status>
<ccusername/>
<autosubmit>false</autosubmit>
<msg/>
<newmsg/>
<authentication-message>OH HAI I CAN HAZ CRUDENSHULS?</authentication-message>
<username-label>Usernomnomnom</username-label>
<password-label>Paßwört</password-label>
<panos-version>1</panos-version>
<saml-auth-method>REDIRECT</saml-auth-method>
<saml-request>aHR0cDovL2xvbGNhdHMuY29tL2xvZ2luL3Zwbgo=</saml-request>
<region>US</region>
</prelogin-response> |
Hah, mine actually got me in a 512 loop :/
It would be great. I was thinking about how Edit: I'll see if I can imitate this I tried doing it with selenium and browsermob-proxy but the result was a frankenstein 😂
Hmm, got that |
It's probably not the best, but I just finished a script that makes the SAML login flow on your browser and gets the prelogin cookie. It tampers the SAML request to point to your localhost. (It might be a security issue though, since you have to authorize your localhost on CAS) I can get the prelogin-cookie just fine, but I keep getting a 512 (I'll try to understand it later though) Maybe it might work with Okta (@arthepsy, could you see if that helps you too?) since it opens the IdP part on your browser and it only worries about the GlobalProtect. |
Hello there,
Our company uses CAS for authentication and we are using SAML for it. I've seen the issues about SAML but they are related to Okta, but I'm not sure if that is the same flow. Does anyone have experience using it with the same setup?
The text was updated successfully, but these errors were encountered: