openconnect with gp does not prompt for SAML authentication in command line

Question

I am using openconnect --protocol=gp vpn.mysite.com and it says its connecting, but it is waiting for the SAML authentication. The command and authentication works on my debian machine it prompts for a username and password, but trying on my other linux machine it does not seem to want to prompt for authentication. This is the output:

POST https://vpn.mysite.com/global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Linux
Connected to 000.000.0.000:443
SSL negotiation with vpn.mysite.com
Connected to HTTPS on vpn.mysite.com with ciphersuite (TLS1.2)-(RSA)-(AES-256-GCM)
SAML REDIRECT authentication is required via https://sso.mysite.com/idp/profile/SAML2/Redirect/SSO?SAMLRequest=hZHfT4MwEMf%2FFdL3rQUqkGaQ4PbgkhnJij74Yiqcrgm02CvTP1%2B2uThf5uPlvj9yn1ug6rtBlKPfmS18jIA%2B%2BOo7g%2BK4yMnojLAKNQqjekDhGyHL%2B42I5kwMznrb2I4EJSI4r61ZWoNjD06C2%2BsGHrebnOy8H1BQuh%2FMHD7HObSj4Dymh5yIUVnRcilJsJq6tVGHlF8Poj17qG4HOlW%2B6Q5OXrqFVjtoPJXygQTrVU5eEgYsTrIsbXmbKp5BCkmTMh6GjMccokmGOMLaoFfG5yRiUThjNzOW1WEqokRE8TMJqp%2FLbrVptXm%2FjuH1JEJxV9fVrHqQNQmewOHxkElAisUBpjgWuwu812PVmSkp%2FiW4oBcNxWn6%2B9XiGw%3D%3D&RelayState=FWwGAOXiGV83OGI5MGJmMTExNzY1NDZmMjc0YTdlN2MzNGJiZmRkYw%3D%3D
When SAML authentication is complete, specify destination form field by appending :field_name to login URL.
Failed to parse server response
Failed to obtain WebVPN cookie

the openconnect version I am using is

OpenConnect version v8.10
Using GnuTLS 3.7.1. Features present: PKCS#11, RSA software token, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP
Supported protocols: anyconnect (default), nc, gp, pulse

Thank you for any assistance.

Answer 1

solved by adding --usergroup=gateway to the command

so the total command that works is

sudo openconnect --protocol=gp --usergroup=gateway vpn.mysite.com

Answer 2

You can connect to a Global Protect VPN that requires SAML authentication using openconnect with NetworkManager (nmcli) following these steps:

1. Create the VPN connection, make sure you have installed openconnect and network-manager-openconnect so you can choose "Palo Alto Networks GlobalProtect" as the VPN protocol, specify the Gateway and also the Reported OS if you want to:

2. Obtain the URL to perform the SAML authentication:

openconnect --protocol=gp --usergroup=gateway --os=win my.company.gateway

The parameter --os is optional if you want to specify the OS when connecting to the VPN.

The parameter --usergroup is optional, it could be gateway or portal, you can check which one works for your VPN or not specify it if not necessary.

The output of the command should contain the URL to perform the SAML authentication.

3. Perform SAML authentication with the URL obtained, when done, open the source of the page and there should be the prelogin-cookie (or portal-userauthcookie) and saml-username, copy the values.

4. Obtain the VPN secrets necessary to connect to the VPN via nmcli:

echo {prelogin_cookie} | openconnect --protocol=gp --user={saml-username} --usergroup=gateway:prelogin-cookie --passwd-on-stdin --authenticate --os=win my.company.gateway 

Put the approriate values on {prelogin_cookie} and {saml-username} obtained on the last step.

The parameter --os is optional if you want to specify the OS when authenticating to the VPN.

The parameter --usergroup is optional, it could be gateway:prelogin-cookie or portal:portal-userauthcookie, you can check which one works for your VPN or not specify it if not necessary.

If the authentication was successful the values for COOKIE, FINGERPRINT, HOST and RESOLVE should be in the output, something like this:

COOKIE='string with cookie'
HOST='x.x.x.x'
CONNECT_URL='xxxxx'
FINGERPRINT='string with fingerprint'
RESOLVE='xxxxx'

5. (Optional) Create a file that is going to be passed to nmcli as a passwd-file to perform the actual connection to the VPN, the file should look like this:

vpn.secrets.cookie:{COOKIE}
vpn.secrets.gwcert:{FINGERPRINT}
vpn.secrets.gateway:{HOST}
vpn.secrets.resolve:{RESOLVE}

Replace {COOKIE}, {FINGERPRINT}, {HOST} and {RESOLVE} for the actual values obtained on the last step, without the single quote characters.

6. Perform the connection to the VPN using the connection name or uuid created on step 1:

• If you created a file with step 5:

  nmcli connection up "Test Connection GlobalProtect VPN" passwd-file /path/of/passwd-file
  

• Connect without a file

  If you don't want to create the file you can pass the passwd-file parameter as stdin, example:

  printf "vpn.secrets.cookie=...\nvpn.secrets.gwcert=..." | nmcli connection up "Test Connection GlobalProtect VPN" passwd-file /dev/stdin
  

  The string passed must be exactly like if we had created the passwd file specified on step 5, so you should put the appropiate values.

If the connection was successful you should see on the NetworkManager tray icon a key and also you can see that you're connected to the VPN:

You need to do all these steps every time you want to connect to the VPN except for step 1.

NOTE: If you don't want all the traffic to go through the VPN you can edit the connection, go to IPV4 Settings and check the box with the option "Use this connection only for resources on its network"

PERFORM THE CONNECTION AUTOMATICALLY: I created this python script that basically does all the steps mentioned to connect automatically, you can connect to a Global Protect VPN that requires SAML authentication using nmcli (NetworkManager) and openconnect.

Usage:

python connect_to_global_protect_vpn_using_nmcli.py --conection-name "Your VPN connection" --vpn-portal "your.vpn.portal" --vpn-user-groups "portal" --vpn-os "linux"

The script will search if the connection specified already exists, if not, then it creates a new VPN connection for the name, os and portal provided and with protocol 'gp', then it does the SAML authentication to then connect to the VPN using nmcli.