dlenski
commented
2 years ago After a lot of researching, and running gp-saml-gui with -x parameter, If I open the login window with other browser I see that the cookie is embedded on the webpage as a comment, and is not returned on the Http headers. I think that this is the root of the problem:
In fact, all of the other GP SAML server's I've seen embed the saml-* and *-cookie values as both HTTP headers and comments.
I made gp-saml-gui use the cookies since it was easier and more reliable.
Perhaps we need to check both to be sufficiently robust? PRs to do this welcome.
I donk know what is the version running on the Vpn appliance as it depends on other Department, but I know that it was updated since two days ago.
I wouldn't be surprised if the omission of the HTTP header versions is a mistake, perhaps due to some middlebox that filters out unknown HTTP headers.
I also wouldn't be surprised it this potential issue is already known to PAN, and if they make their servers emit both, and clients parse both, for this reason.
ByteCommander
messiahUA
Hi there: I was using gp-saml-gui to connect to my University Global Protect Vpn site until yesterday.
The behaviour is like this: I run the script
and, I can auth with my Microsoft Authenticator app on mobile and I see: Login succesful! But after that, nothing happens.
On the console, last message is:
After a lot of researching, and running gp-saml-gui with -x parameter, If I open the login window with other browser I see that the cookie is embedded on the webpage as a comment, and is not returned on the Http headers. I think that this is the root of the problem:
I don't know what is the version running on the Vpn appliance as it depends on other Department, but I know that it was updated since two days ago. Now that I know that this is the problem, when I get the "Login succesful" window I press F12 and I copy the prelogin cookie :-(. Its so slow but it works..
I write this post if anybody has the same problem...