]> code.communitydata.science - nu-vpn-proxy.git/blob - README-GP-SAML.md
noting version requirement for openconnect
[nu-vpn-proxy.git] / README-GP-SAML.md
1 [![Build Status](https://api.travis-ci.org/dlenski/gp-saml-gui.png)](https://travis-ci.org/dlenski/gp-saml-gui)
2
3 gp-saml-gui
4 ===========
5
6 This is a helper script to allow you to interactively login to a GlobalProtect VPN
7 that uses SAML authentication.
8
9 Interactive login is, unfortunately, sometimes a necessary alternative to automated
10 login via scripts such as
11 [zdave/openconnect-gp-okta](https://github.com/zdave/openconnect-gp-okta).
12
13 Installation
14 ============
15
16 gp-saml-gui uses GTK, which requires Python 3 bindings.
17
18 On Debian / Ubuntu, these are packaged as `python3-gi`, `gir1.2-gtk-3.0`, and
19 `gir1.2-webkit2-4.0`:
20
21 ```
22 $ sudo apt install python3-gi gir1.2-gtk-3.0 gir1.2-webkit2-4.0
23 ```
24
25 Then, set up a virtual environment that can access these system packages,
26 activate it, and install the Python dependencies:
27
28 ```
29 $ virtualenv --python=python3 --system-site-packages venv
30 $ . venv/bin/activate
31 $ pip install requests
32 ```
33
34 How to use
35 ==========
36
37 Specify the GlobalProtect server URL (portal or gateway) and optional
38 arguments, such as `--clientos=Windows` (because many GlobalProtect
39 servers don't require SAML login, but apparently omit it in their configuration
40 for OSes other than Windows).
41
42 This script will pop up a [GTK WebKit2 WebView](https://webkitgtk.org/) window.
43 After you succesfully complete the SAML login via web forms, the script will output
44 `HOST`, `USER`, `COOKIE`, and `OS` variables in a form that can be used by
45 [OpenConnect](http://www.infradead.org/openconnect/juniper.html)
46 (similar to the output of `openconnect --authenticate`):
47
48 ```sh
49 $ eval $( gp-saml-gui.py --clientos=Windows vpn.company.com )
50 Got SAML POST content, opening browser...
51 Finished loading about:blank...
52 Finished loading https://company.okta.com/app/panw_globalprotect/deadbeefFOOBARba1234/sso/saml...
53 Finished loading https://company.okta.com/login/sessionCookieRedirect...
54 Finished loading https://vpn.qorvo.com/SAML20/SP/ACS...
55 Got SAML relevant headers, done: {'prelogin-cookie': 'blahblahblah', 'saml-username': 'foo12345@corp.company.com', 'saml-slo': 'no', 'saml-auth-status': '1'}
56
57 SAML response converted to OpenConnect command line invocation:
58
59     echo 'blahblahblah' |
60         openconnect --protocol=gp --user='foo12345@corp.company.com' --os=win --usergroup=prelogin-cookie:gateway --passwd-on-stdin vpn.company.com
61
62 $ echo $HOST; echo $USER; echo $COOKIE; echo $OS
63 https://vpn.company.com/gateway:prelogin-cookie
64 foo12345@corp.company.com
65 blahblahblah
66 win
67
68 $ echo "$COOKIE" | openconnect --protocol=gp -u "$USER" --os="$OS" --passwd-on-stdin "$HOST"
69 ```
70
71 TODO
72 ====
73
74 * Packaging
75
76 License
77 =======
78
79 GPLv3 or newer

Community Data Science Collective || Want to submit a patch?