]> code.communitydata.science - nu-vpn-proxy.git/blob - README.md
extensive cleanup, more logging
[nu-vpn-proxy.git] / README.md
1 gp-saml-gui
2 ===========
3
4 This is a helper script to allow you to interactively login to a GlobalProtect VPN
5 that uses SAML authentication.
6
7 Interactive login is, unfortunately, sometimes a necessary alternative to automated
8 login via scripts such as
9 [zdave/openconnect-gp-okta](https://github.com/zdave/openconnect-gp-okta).
10
11 Installation
12 ============
13
14 gp-saml-gui uses GTK, which requires Python 3 bindings.
15
16 On Debian / Ubuntu, these are packaged as `python3-gi`, `gir1.2-gtk-3.0`, and
17 `gir1.2-webkit2-4.0`:
18
19 ```
20 $ sudo apt install python3-gi gir1.2-gtk-3.0 gir1.2-webkit2-4.0
21 ```
22
23 Then, set up a virtual environment that can access these system packages,
24 activate it, and install the Python dependencies:
25
26 ```
27 $ virtualenv --python=python3 --system-site-packages venv
28 $ . venv/bin/activate
29 $ pip install requests
30 ```
31
32 How to use
33 ==========
34
35 Specify the GlobalProtect server URL (portal or gateway) and optional arguments.
36
37 This script will pop up a [GTK WebKit2 WebView](https://webkitgtk.org/) window.
38 After you succesfully complete the SAML login via web forms, the script will output
39 `HOST`, `USER`, and `COOKIE` variables in a form that can be used by
40 [OpenConnect](http://www.infradead.org/openconnect/juniper.html)
41 (similar to the output of `openconnect --authenticate`):
42
43 ```sh
44 $ eval $( gp-saml-gui.py -v vpn.company.com )
45 Got SAML POST content, opening browser...
46 Finished loading about:blank...
47 Finished loading https://company.okta.com/app/panw_globalprotect/deadbeefFOOBARba1234/sso/saml...
48 Finished loading https://company.okta.com/login/sessionCookieRedirect...
49 Finished loading https://vpn.qorvo.com/SAML20/SP/ACS...
50 Got SAML relevant headers, done: {'prelogin-cookie': 'blahblahblah', 'saml-username': 'foo12345@corp.company.com', 'saml-slo': 'no', 'saml-auth-status': '1'}
51
52 SAML response converted to OpenConnect command line invocation:
53
54     echo 'blahblahblah' |
55         openconnect --protocol=gp --user='foo12345@corp.company.com' --usergroup=prelogin-cookie:gateway --passwd-on-stdin vpn.company.com
56
57 $ echo $HOST; echo $USER; echo $COOKIE
58 https://vpn.company.com/gateway:prelogin-cookie
59 foo12345@corp.company.com
60 blahblahblah'
61
62 $ echo "$COOKIE" | openconnect --protocol=gp -u "$USER" --passwd-on-stdin "$HOST"
63 ```
64
65 TODO
66 ====
67
68 * Packaging
69
70 License
71 =======
72
73 GPLv3 or newer

Community Data Science Collective || Want to submit a patch?