search

clems71 / globalprotect-saml

CLI to drive SAML based auth for Global Protect VPN
MIT License
13 stars 2 forks source link

Thank you! Feature request #1

Open agaripian opened 2 years ago

agaripian commented 2 years ago

Thank you so much for making this utility! Appreciate that its open source as well!

I dont know if you are accepting feature requests but I figured I ask... I am new to go and lorca, but would it be possible to automate and enter the username, click a button and then wait for the password input field to appear then click another button, then click a last button to trigger the push notif?

Let me know your thoughts or if you can point me in the right direction I can give it a shot.

clems71 commented 2 years ago

Hey Alex, thanks for the kind words.

From what you're describing, I guess you'd like to fully automate the authentication pipeline, right? I'm looking at that too!

Problem is it is dependant on the actual SAML provider being used. For instance, for my use case, Okta is the SAML provider, but as this tool is generic, some people might be using Auth0, Azure Directory or something bespoke. They just comply to the SAML standard. Given those circumstances, it's hard to have something generic that would work for all providers, given the HTML UI elements are all different and workflows might vary : 2FA can be provided by Google Authenticator, YubiKey, SMS. There is also password-less auth with single time email link in some companies.

Another way to avoid tedious typing of password and 2FA code constantly between daily connect/reconnects, would be to keep cookies from run to run - that would buy us a 24h window where auth has to be done only once. The SAML provider would look at the cookies and assuming you ticked "keep my session alive", the SAML provider window would just appear and would complete without user interaction.

It is broken for the moment because Lorca doesn't like the way I close it - Chrome assumes the sessions has crashed and then resume with the "Aw Snap!" message. So I did a hack to delete the settings which contain info about the crashing session on close:

https://github.com/clems71/globalprotect-saml/blob/cd619f370517caca4c3c317bd46096d2168d535b/main.go#L75

This has the side effect of also suppressing the aforementioned cookies!

Let me know what you think and we'll find a proper way to automate it better if this is what you need!

neoncloud commented 2 years ago

I have done that using some JS, see my fork My organization using Microsoft Authenticator for 2FA, so I hard code it for the login page, you may change it as yours.

agaripian commented 2 years ago

Awesome thanks for sharing, I ended up going with the removal of os.RemoveAll("./data/Default/Preferences") and used chrome to remember my password. But this is a good solution as well