search

arthepsy / pan-globalprotect-okta

PaloAlto Networks GlobalProtect VPN (integrated with OKTA) command-line client
101 stars 42 forks source link

requests.exceptions.MissingSchema: Invalid URL '/login/cert': No schema supplied. #12

Open mawxcarroll opened 5 years ago

mawxcarroll commented 5 years ago

I'm just trying out your code for the first time and first of all -- thank you! It's awesome that people are working on this. My school just switched to Pan-GP with okta and I haven't been able to access the VPN from my Ubuntu system.

I'm hoping that I'm just doing something simple wrong. I used a QR reader to get my totp secret and I think I've set up the config file correctly:

debug = 0 vpn_url = https://vpn.ursinus.edu okta_url = https://ursinus.okta.com username = ######## password = ######## totp.okta = ###################

totp.google = ABCDEFGHIJKLMNOP

gateway = Manual ny1-gw.example.com

openconnect_cmd = sudo openconnect

openconnect_args = # optional arguments to openconnect execute = 0 # execute openconnect command bug.nl = 0 # newline work-around for openconnect bug.username = 0 # username work-around for openconnect

I get the following error when I run:

~/git-repos/arthespy-okta$ ./gp-okta.py gp-okta.conf [INFO] prelogin request [INFO] okta saml request [INFO] okta auth request [INFO] sessionToken: 201116eJg70sxUsqIiW_ZuqZlAKqJRPTccwWsiLnAFytuvuODEfRbvL [INFO] okta redirect request [INFO] okta redirect form request Traceback (most recent call last): File "./gp-okta.py", line 379, in main() File "./gp-okta.py", line 342, in main saml_username, prelogin_cookie = okta_redirect(conf, s, token, redirect_url) File "./gp-okta.py", line 286, in okta_redirect r = s.post(url, data=data) File "/home/tcarroll/.local/lib/python2.7/site-packages/requests/sessions.py", line 581, in post return self.request('POST', url, data=data, json=json, **kwargs) File "/home/tcarroll/.local/lib/python2.7/site-packages/requests/sessions.py", line 519, in request prep = self.prepare_request(req) File "/home/tcarroll/.local/lib/python2.7/site-packages/requests/sessions.py", line 462, in prepare_request hooks=merge_hooks(request.hooks, self.hooks), File "/home/tcarroll/.local/lib/python2.7/site-packages/requests/models.py", line 313, in prepare self.prepare_url(url, params) File "/home/tcarroll/.local/lib/python2.7/site-packages/requests/models.py", line 387, in prepare_url raise MissingSchema(error) requests.exceptions.MissingSchema: Invalid URL '/login/cert': No schema supplied. Perhaps you meant http:///login/cert?

Any advice would be helpful!

Thanks!

Cheers, tom

mawxcarroll commented 5 years ago

Okay, I think I've made some progress in understanding exactly where things go wrong.

When the script gets to the "okta redirect request," it finds the url https://xxxxx.okta.com/login/sessionCookieRedirect, which I gather is correct. After posting to that url, the script seems to be expecting something that will contain the saml-username and the prelogin-cookie. However, by pasting that url into a browser, I can see that it's just the page that either sends the push to the okta app on my phone or requests the sms code. (Apparently, I can also request my tech support to set up Yubikey for me -- I have no idea whether or not that might be easier.)

If I click on the send push button, it takes me to a "login successful" page. The source for that page clearly has the saml-username and the prelogin-cookie.

I'm a bit stuck here. It seems like I need to make the script provide some input to activate the button and send the push to my phone.

arthepsy commented 5 years ago

From output You provided:

[INFO] okta redirect request
[INFO] okta redirect form request

I can see that it fails here:

        url, data = parse_form(xhtml)
        log('okta redirect form request')
        r = s.post(url, data=data)

Meaning that it parsed HTML response from /login/sessionCookieRedirect and found form action as /login/cert, not the full URL. I can probably fix that by prefixing URL with current path, but I'm not sure I've seen /login/cert at all. Usually, the form contains url to /SAML20/SP/ACS or something.

I am not sure how to continue this, as I haven't seen such behavior, without some test account or full debug logs.

mawxcarroll commented 5 years ago

Yes, this is what I'm seeing! There's an "intermediate" web page where it asks me to click a button to send the push to my phone. If I do that interactively, it makes it to a page like you describe, with something like /SAML20/SP/ACS.

I'm at work but as soon as I get home I will attach the full debug logs. Let me know what else I can do to help.

Thanks!

dlenski commented 5 years ago

Meaning that it parsed HTML response from /login/sessionCookieRedirect and found form action as /login/cert, not the full URL. I can probably fix that by prefixing URL with current path, but I'm not sure I've seen /login/cert at all. Usually, the form contains url to /SAML20/SP/ACS or something.

@arthepsy, I think you already know this, but you should be using urllib.urljoin(url_of_current_page, url_fragment) to combine the current and new URLs in a way that exactly matches what browsers do.

arthepsy commented 5 years ago

@dlenski yes, I'm aware, but I don't think that this will help, as I'm not sure what /login/cert expects and responds...

dlenski commented 5 years ago

Is it possible that /login/cert is simply a step where a client certificate is expected to be included in the request… and assuming the client cert is good it'll just redirect to a subsequent step?

(I've seen a couple non-GP VPNs that use a similar step, where only one request in the authentication process actually needs the client cert…)

mawxcarroll commented 5 years ago

Ok, here's the command line output and the full debug output is: debug.txt

Thanks!

$~/git-repos/arthespy-okta$ ./gp-okta.py gp-okta.conf > debug.txt Traceback (most recent call last): File "./gp-okta.py", line 388, in main() File "./gp-okta.py", line 352, in main userauthcookie = paloalto_getconfig(conf, s, saml_username, prelogin_cookie) File "./gp-okta.py", line 321, in paloalto_getconfig r = s.post(url, data=data) File "/home/tcarroll/.local/lib/python2.7/site-packages/requests/sessions.py", line 581, in post return self.request('POST', url, data=data, json=json, kwargs) File "/home/tcarroll/.local/lib/python2.7/site-packages/requests/sessions.py", line 533, in request resp = self.send(prep, send_kwargs) File "/home/tcarroll/.local/lib/python2.7/site-packages/requests/sessions.py", line 646, in send r = adapter.send(request, **kwargs) File "/home/tcarroll/.local/lib/python2.7/site-packages/requests/adapters.py", line 498, in send raise ConnectionError(err, request=request) requests.exceptions.ConnectionError: ('Connection aborted.', BadStatusLine('\n',))

arthepsy commented 5 years ago

@mawxcarroll this seems like a different issue, as error is Connection aborted. and exception is in different place, than before. Looks like VPN gateway just dropped connection (don't know the reason, though). Could You try again?

arthepsy commented 5 years ago

I'm wondering why it got further than /login/cert in Your debug log. Did You made some changes locally?

mawxcarroll commented 5 years ago

Ah! Sorry, yes, I had hard-coded the correct saml-username and was trying to get it to move a bit further in the process. Here's the command line output from the unmodified code with the full debug output here: debug.txt

$ ./gp-okta.py gp-okta.conf > debug.txt Traceback (most recent call last): File "./gp-okta.py", line 424, in main() File "./gp-okta.py", line 387, in main saml_username, prelogin_cookie = okta_redirect(conf, s, token, redirect_url) File "./gp-okta.py", line 331, in okta_redirect r = s.post(url, data=data) File "/home/tcarroll/.local/lib/python2.7/site-packages/requests/sessions.py", line 581, in post return self.request('POST', url, data=data, json=json, **kwargs) File "/home/tcarroll/.local/lib/python2.7/site-packages/requests/sessions.py", line 519, in request prep = self.prepare_request(req) File "/home/tcarroll/.local/lib/python2.7/site-packages/requests/sessions.py", line 462, in prepare_request hooks=merge_hooks(request.hooks, self.hooks), File "/home/tcarroll/.local/lib/python2.7/site-packages/requests/models.py", line 313, in prepare self.prepare_url(url, params) File "/home/tcarroll/.local/lib/python2.7/site-packages/requests/models.py", line 387, in prepare_url raise MissingSchema(error) requests.exceptions.MissingSchema: Invalid URL '/login/cert': No schema supplied. Perhaps you meant http:///login/cert?

arthepsy commented 5 years ago

@mawxcarroll I reviewed Your debug.txt, compared with mine. Commited a patch, that does redirection dance, until it gets prelogin-cookie. Please, test it now and give feedback.

mawxcarroll commented 5 years ago

@arthepsy I tried the new version, and it definitely yields a different error: debug.txt

$ ./gp-okta.py gp-okta.conf [INFO] prelogin request [INFO] okta saml request [INFO] okta auth request [INFO] sessionToken: 20111uqU4ajN3S6LHOyOSLMFbhF0u7avbepS7eyDjA5hDSTgI-HreNv [INFO] okta redirect request [INFO] okta redirect request [INFO] okta redirect request [INFO] okta redirect request [INFO] okta redirect request [INFO] okta redirect request [INFO] okta redirect request [INFO] okta redirect request [INFO] okta redirect request [INFO] okta redirect request [INFO] okta redirect request err: redirect rabbit hole is too deep...

alessiostalla commented 4 years ago

I'm getting the same error as @mawxcarroll . This is the last request:

# redirect.response:
status: 200

Cache-Control: no-cache, no-store
Connection: Keep-Alive
Content-Encoding: gzip
Content-Language: en
Content-Type: text/html;charset=utf-8
Date: Tue, 18 Feb 2020 15:29:24 GMT
Expires: 0
Keep-Alive: timeout=5, max=79
P3P: CP="HONK"
Pragma: no-cache
Server: nginx
Set-Cookie: sid=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/, JSESSIONID=46C9BE97EF4D87F7E69C65CC7E54A11F; Path=/; Secure; HttpOnly, t=blue-dark; Path=/, sid=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Strict-Transport-Security: max-age=315360000
Transfer-Encoding: chunked
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Okta-Request-Id: XkwC1HTK-YYP--h8j@7ApAAAAyQ
X-Rate-Limit-Limit: 850
X-Rate-Limit-Remaining: 837
X-Rate-Limit-Reset: 1582039814
X-Robots-Tag: none
X-UA-Compatible: IE=edge
X-XSS-Protection: 1; mode=block; report=https://okta.report-uri.com/r/d/xss/enforce

<!DOCTYPE html>
<!--[if IE 7]><html class="lt-ie10 lt-ie9 lt-ie8"><![endif]-->
<!--[if IE 8]><html class="lt-ie10 lt-ie9"> <![endif]-->
<!--[if IE 9]><html class="lt-ie10"><![endif]-->
<!--[if gt IE 9]><html><![endif]-->
<!--[if !IE]><!--><html><!--<![endif]-->
<head>

    <script>if (typeof module === 'object') {window.module = module; module = undefined;}</script>

    <title>XXXX - Sign In</title>
        <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <meta name="robots" content="none" />

    <link href="https://ok7static.oktacdn.com/assets/loginpage/css/okta-login-page.min.60d9d4a67434874ffe6904fb101d663f.css" type="text/css" rel="stylesheet"/><script>
        var okta = {
            locale: 'en',
            deployEnv: 'PROD'
        };
    </script>
    <script>window.okta || (window.okta = {}); okta.cdnUrlHostname = "//ok7static.oktacdn.com"; okta.cdnPerformCheck = false;</script><script>if (window.module) module = window.module;</script>

</head>
<body class="auth okta-container">

<!--[if gte IE 8]>
  <![if lte IE 9]>

    <style>
    .unsupported-browser-banner-wrap {
      padding: 20px;
      border: 1px solid #ddd;
      background-color: #f3fbff;
    }
    .unsupported-browser-banner-inner {
      position: relative;
      width: 735px;
      margin: 0 auto;
      text-align: left;
    }
    .unsupported-browser-banner-inner .icon {
      vertical-align: top;
      margin-right: 20px;
      display: inline-block;
      position: static !important;
    }
    .unsupported-browser-banner-inner a {
      text-decoration: underline;
    }
    </style>

    <div class="unsupported-browser-banner-wrap">
      <div class="unsupported-browser-banner-inner">
        <span class="icon icon-16 icon-only warning-16-yellow"></span>You are using an unsupported browser. For the best experience, update to <a href="https://support.okta.com/help/articles/Knowledge_Article/24532952-Platforms---Browser-and-OS-Support">a supported browser</a>.</div>
    </div>

  <![endif]>
<![endif]-->
<!--[if IE 8]> <div id="login-bg-image-ie8" class="login-bg-image" data-se="login-bg-image"></div> <![endif]-->
<!--[if (gt IE 8)|!(IE)]><!--> <div id="login-bg-image" class="login-bg-image" data-se="login-bg-image"></div> <!--<![endif]-->

<!-- hidden form for reposting fromURI for X509 auth -->
<form action="/login/cert" method="post" id="x509_login" name="x509_login" style="display:none;">
    <input type="hidden" class="hide" name="_xsrfToken" value="null"/><input type="hidden" id="fromURI" name="fromURI" class="hidden" value="&#x2f;app&#x2f;panw_globalprotect&#x2f;exk1difehdljP9cUR357&#x2f;sso&#x2f;saml&#x3f;SAMLRequest&#x3d;REDACTED base64-encoded request with sensitive data"/>
</form>

<div class="content">
  <div class="applogin-banner">
          <div class="applogin-background"></div>
          <div class="applogin-container">
              <h1>
                Connecting to<div class="applogin-app-logo">
                      <img src="https://ok7static.oktacdn.com/fs/bcg/4/gfs2h3fnucQaar64A356" alt="GlobalProtect&#x20;VPN" class="logo panw_globalprotect"/></div>
              </h1>
              <p>Sign-in with your XXXX account to access GlobalProtect VPN</p>
          </div>
      </div>
  <style type="text/css">
    .noscript-msg {
        background-color: #fff;
        border-color: #ddd #ddd #d8d8d8;
        box-shadow:0 2px 0 rgba(175, 175, 175, 0.12);
        text-align: center;
        width: 398px;
        min-width: 300px;
        margin: 200px auto;
        border-radius: 3px;
        border-width: 1px;
        border-style: solid;
    }

    .noscript-content {
        padding: 42px;
    }

    .noscript-content h2 {
        padding-bottom: 20px;
    }

    .noscript-content h1 {
        padding-bottom: 25px;
    }

    .noscript-content a {
        background: transparent;
        box-shadow: none;
        display: table-cell;
        vertical-align: middle;
        width: 314px;
        height: 50px;
        line-height: 36px;
        color: #fff;
        background: linear-gradient(#007dc1, #0073b2), #007dc1;
        border: 1px solid;
        border-color: #004b75;
        border-bottom-color: #00456a;
        box-shadow: rgba(0, 0, 0, 0.15) 0 1px 0, rgba(255, 255, 255, 0.1) 0 1px 0 0 inset;
        -webkit-border-radius: 3px;
        border-radius: 3px;
    }

    .noscript-content a:hover {
        background: #007dc1;
        cursor: hand;
        text-decoration: none;
    }
</style>
<noscript>
    <div id="noscript-msg" class="noscript-msg">
        <div class="noscript-content">
            <h2>Javascript is required</h2>
            <h1>Javascript is disabled on your browser.&nbspPlease enable Javascript and refresh this page.</h1>
            <a href=".">Refresh</a>
        </div>
    </div>
</noscript>
<div id="signin-container"></div>
  <div id="okta-sign-in" class="auth-container main-container" style="display:none">
      <div id="unsupported-onedrive" class="unsupported-message" style="display:none">
        <h2 class="o-form-head">Your OneDrive version is not supported</h2>
        <p>Upgrade now by installing the OneDrive for Business Next Generation Sync Client to login to Okta</p>
        <a class="button button-primary" target="_blank" href="https://support.okta.com/help/articles/Knowledge_Article/Upgrading-to-OneDrive-for-Business-Next-Generation-Sync-Client">
          Learn how to upgrade</a>
      </div>
      <div id="unsupported-cookie" class="unsupported-message" style="display:none">
          <h2 class="o-form-head">Cookies are required</h2>
          <p>Cookies are disabled on your browser. Please enable Cookies and refresh this page.</p>
          <a class="button button-primary" target="_blank" href=".">
              Refresh</a>
      </div>
  </div>
</div>

<div class="footer">
  <div class="footer-container clearfix">
    <p class="copyright">Powered by <a href="http://www.okta.com/" class="inline-block notranslate">Okta</a></p>
        <p class="privacy-policy"><a href="/privacy" target="_blank" class="inline-block margin-l-10">Privacy Policy</a></p>
    </div>
</div>

<script type="text/javascript">function runLoginPage (fn) {var mainScript = document.createElement('script');mainScript.src = 'https://ok7static.oktacdn.com/assets/js/mvc/loginpage/initLoginPage.pack.dccc076846c26b0541cee609dba6db95.js';mainScript.crossOrigin = 'anonymous';mainScript.integrity = 'sha384-R3LzzrOmyic5+C41ouOec6dn8uBrIdNocmeWP8EX2vVxjBHToemHB0XSywlqpumH';document.getElementsByTagName('head')[0].appendChild(mainScript);fn && mainScript.addEventListener('load', function () { setTimeout(fn, 1) });}</script><script type="text/javascript">
(function(){

  var baseUrl = 'https\x3A\x2F\x2Fidentity.XXXX.com';
  var suppliedRedirectUri = '';
  var repost = false;
  var stateToken = '';
  var fromUri = '\x2Fapp\x2Fpanw_globalprotect\x2Fexk1difehdljP9cUR357\x2Fsso\x2Fsaml\x3FSAMLRequest\x3DREDACTED';
  var username = '';
  var rememberMe = false;
  var smsRecovery = false;
  var callRecovery = false;
  var emailRecovery = true;
  var usernameLabel = 'Username';
  var usernameInlineLabel = '';
  var passwordLabel = 'Password';
  var passwordInlineLabel = '';
  var signinLabel = 'Sign\x20In';
  var forgotpasswordLabel = 'Forgot\x20password\x3F';
  var unlockaccountLabel = 'Unlock\x20account\x3F';
  var helpLabel = 'Help';
  var orgSupportPhoneNumber = '';
  var hideSignOutForMFA = false;
  var hideBackToSignInForReset = false;
  var loginPageUrlRedirect = '';
  var enableUrlFixForEmbeddedBrowsers = false;
  var footerHelpTitle = 'Need\x20help\x20signing\x20in\x3F';
  var recoveryFlowPlaceholder = 'Email\x20or\x20Username';
  var signOutUrl = '';
  var authScheme = 'OAUTH2';
  var hasPasswordlessPolicy = '';

  var securityImage = true;

  var windowsVerify = false;

    windowsVerify = true;

  var selfServiceUnlock = false;

  var preventBrowserFromSavingOktaPassword = false;

      preventBrowserFromSavingOktaPassword = true;

  var redirectByFormSubmit = false;

  var restrictRedirectToForeground = false;

  var hideDefaultTip = true;

  var autoPush = false;

    autoPush = true;

  var publishToAccountChooser = false;
  var accountChooserDiscoveryUrl = null;

    publishToAccountChooser = true;
    accountChooserDiscoveryUrl = 'https://login.okta.com/discovery/iframe.html';

  // In case of custom app login, the uri is already absolute, so we must not attach baseUrl
  var redirectUri;
  if (isAbsoluteUri(fromUri)) {
      redirectUri = fromUri;
  } else {
      redirectUri = baseUrl + fromUri;
  }

  var customButtons;

      var pivTitle = 'PIV\x20Card';
      var pivClassName = '';
      // Use different title and color when IDP_BASED_SIGN_ON_POLICY is enabled

      customButtons = [{
        title: pivTitle,
        className: pivClassName,
        click: function() {
          if (repost) {
            document.x509_login.submit();
          } else {
            window.location.href='/login/cert?fromURI=' + encodeURIComponent(fromUri);
          }
        }
      }];

  var pivProperties = {};

  var customLinks = [];

  var linkParams;

  var stateTokenAllFlows;

  var idpDiscovery;
  var idpDiscoveryRequestContext;

  var showPasswordToggleOnSignInPage = false;

  var hasOAuth2ConsentFeature = false;
  var consentFunc;

  var hasMfaAttestationFeature = false;

    hasMfaAttestationFeature = true;

  var registration = false;

  var webauthn = true;

  var loginPageConfig = {
    fromUri: fromUri,
    repost: repost,
    redirectUri: redirectUri,
    isMobileClientLogin: false,
    isMobileSSO: false,

    linkParams: linkParams,
    hasChromeOSFeature: false,
    showLinkToAppStore: false,
    publishToAccountChooser: publishToAccountChooser,
    accountChooserDiscoveryUrl: accountChooserDiscoveryUrl,
    preventBrowserFromSavingOktaPassword: preventBrowserFromSavingOktaPassword,
    enableUrlFixForEmbeddedBrowsers: enableUrlFixForEmbeddedBrowsers,
    loginPageUrlRedirect: loginPageUrlRedirect,
    mfaAttestation: hasMfaAttestationFeature,
    enrollingFactor: '',
    signIn: {
      el: '#signin-container',
      baseUrl: baseUrl,
      brandName: 'Okta',
      logo: 'https://ok7static.oktacdn.com/fs/bco/1/fs0oig1kk82ILLpWl356',
      logoText: 'XXXX logo',
      helpSupportNumber: orgSupportPhoneNumber,
      stateToken: stateToken,
      username: username,
      signOutLink: signOutUrl,
      consent: consentFunc,
      authScheme: authScheme,
      relayState: fromUri,
      idpDiscovery: {
        requestContext: idpDiscoveryRequestContext
      },
      features: {
        router: true,
        securityImage: securityImage,
        rememberMe: rememberMe,
        autoPush: autoPush,
        webauthn: webauthn,
        smsRecovery: smsRecovery,
        callRecovery: callRecovery,
        emailRecovery: emailRecovery,
        windowsVerify: windowsVerify,
        selfServiceUnlock: selfServiceUnlock,
        multiOptionalFactorEnroll: true,
        deviceFingerprinting: true,
        useDeviceFingerprintForSecurityImage: true,
        trackTypingPattern: false,
        hideSignOutLinkInMFA: hideSignOutForMFA,
        hideBackToSignInForReset: hideBackToSignInForReset,
        customExpiredPassword: true,
        idpDiscovery: idpDiscovery,
        passwordlessAuth: hasPasswordlessPolicy,
        consent: hasOAuth2ConsentFeature,
        showPasswordToggleOnSignInPage: showPasswordToggleOnSignInPage,
        registration: registration,
        redirectByFormSubmit: redirectByFormSubmit,
        restrictRedirectToForeground: restrictRedirectToForeground,
        hideDefaultTip: hideDefaultTip
      },

      assets: {
        baseUrl: okta.cdnUrlHostname + '/assets/js/mvc/loginpage/i18n'
      },

      language: okta.locale,
      i18n: {},

      customButtons: customButtons,

      piv: pivProperties,

      helpLinks: {
        help: '',
        forgotPassword: '',
        unlock: '',
        custom: customLinks
      }
    }
  };

  loginPageConfig.signIn.i18n[okta.locale] = {

    'primaryauth.username.placeholder': usernameLabel,
    'primaryauth.username.tooltip': usernameInlineLabel,
    'primaryauth.password.placeholder': passwordLabel,
    'primaryauth.password.tooltip': passwordInlineLabel,
    'mfa.challenge.password.placeholder': passwordLabel,
    'primaryauth.title': signinLabel,
    'forgotpassword': forgotpasswordLabel,
    'unlockaccount': unlockaccountLabel,
    'help': helpLabel,
    'needhelp': footerHelpTitle,
    'password.forgot.email.or.username.placeholder': recoveryFlowPlaceholder,
    'password.forgot.email.or.username.tooltip': recoveryFlowPlaceholder,
    'account.unlock.email.or.username.placeholder': recoveryFlowPlaceholder,
    'account.unlock.email.or.username.tooltip': recoveryFlowPlaceholder
  };

  function isOldWebBrowserControl() {
    // We no longer support IE7. If we see the MSIE 7.0 browser mode, it's a good signal
    // that we're in a windows embedded browser.
    if (navigator.userAgent.indexOf('MSIE 7.0') === -1) {
      return false;
    }

    // Because the userAgent is the same across embedded browsers, we use feature
    // detection to see if we're running on older versions that do not support updating
    // the documentMode via x-ua-compatible.
    return document.all && !window.atob;
  }

  function isAbsoluteUri(uri) {
    var pat = /^https?:\/\//i;
    return pat.test(uri);
  }

  var unsupportedContainer = document.getElementById('okta-sign-in');

  var failIfCookiesDisabled = true;

  // Old versions of WebBrowser Controls (specifically, OneDrive) render in IE7 browser
  // mode, with no way to override the documentMode. In this case, inform the user they need
  // to upgrade.
  if (isOldWebBrowserControl()) {
    document.getElementById('unsupported-onedrive').removeAttribute('style');
    unsupportedContainer.removeAttribute('style');
  }
  else if (failIfCookiesDisabled && !navigator.cookieEnabled) {
    document.getElementById('unsupported-cookie').removeAttribute('style');
    unsupportedContainer.removeAttribute('style');
  }
  else {
    unsupportedContainer.parentNode.removeChild(unsupportedContainer);
    runLoginPage(function () {
      OktaLogin.initLoginPage(loginPageConfig);
    });
  }

}());
</script>

<script>
  window.addEventListener('load', function(event) {
    function applyStyle(id, style) {
      if (style) {
        var el = document.getElementById(id);
        if (el) {
          el.setAttribute('style', style);
        }
      }
    }
    applyStyle('login-bg-image', "background-image: url('https://ok7static.oktacdn.com/fs/bco/7/fs0oinn65InFZvdbi356')");
    applyStyle('login-bg-image-ie8', "filter: progid:DXImageTransform.Microsoft.AlphaImageLoader(src='https://ok7static.oktacdn.com/fs/bco/7/fs0oinn65InFZvdbi356', sizingMethod='scale')");
  });
</script>

</body>
</html>
alessiostalla commented 4 years ago

This appears to be my org's login page, so I think the redirect is a red herring, something's not working in the previous requests.