dwmw2
commented
2 years ago Open dwmw2 opened 2 years ago
dwmw2
commented
2 years ago 
dlenski
commented
2 years ago Continuing discussion there, and locking this one to force others to do the same :sunglasses:
We duplicate a bunch of stuff that openconnect knows about the GP protocol, just as openconnect-sso duplicates a bunch of stuff about the AnyConnect protocol.
Now that the SAML support has been merged into OpenConnect upstream, it would be really nice to make the openconnect CLI capable of spawning a browser in a separate process. For AnyConnect we already have its 'external browser' mode but that's very different as the SAML flow actually terminates with a redirect to
http://localhost:29786/...with the token. For the normal SAML flows we actually need a 'browser' that we can monitor and steal cookies from; we can't just launch the system browser (unless we make a nasty plugin and deal with the resulting security concerns),So... can we make openconnect just spawn a variant of gp-saml-gui or openconnect-sso and get the cookie back from it? We already do something like that with TNCC for the
DSPREAUTHcookie; instead of just unhelpfully printingNo SSO handler, can we instead spawn something like$WEBVIEW_SCRIPT --url $SAML_URL --final-url $SAML_FINAL_URL --cookie $SAML_TOKEN_COOKIE... and then get the answer back from its stdout like we do with TNCC?