Using AAD SAML auth with AnyConnect

[aph3rson]

I'm trying to connect to an AnyConnect VPN while using OpenConnect. Unfortunately, this particular VPN uses SAML, provided by Azure AD.

Are there any options available for doing this with an AnyConnect VPN? I know that there's been work with GlobalProtect VPNs and SAML auth via Okta, but this seems to be a separate ballgame.

[dlenski]

Are there any options available for doing this with an AnyConnect VPN? I know that there's been work with GlobalProtect VPNs and SAML auth via Okta, but this seems to be a separate ballgame.

No scripts for doing the "SAML auth tap-dance" with Azure exist, as far as I know, but should be possible to start with something like @arthepsy's https://github.com/arthepsy/pan-globalprotect-okta and adapt for this purpose.

Also see #137, where a user got Azure auth working… but this seems to be a setup without SAML.

[chrispoupart]

My workplace just moved to a SAML-based Azure AD authentication. Previously they were doing MFA in a way that worked with the Auth app.

I would really much rather NOT have to switch to AnyConnect. Is there anything specific that I could do to help move this support along?

[dlenski]

I would really much rather NOT have to switch to AnyConnect. Is there anything specific that I could do to help move this support along?

@chrispoupart Can you share logs of what it looks like when openconnect v8.x tries to connect to your server (openconnect --dump -vvvv)? I understand that it probably doesn't get that far… but we don't even know what an AnyConnect server sends when it wants to do SAML auth.

Also, let's please move this over to Gitlab, where all the upstream development is happening. I created https://gitlab.com/openconnect/openconnect/issues/84

[aph3rson]

@dlenski can we get this GitHub project annotated in some fashion, then, if you're moving development to GitLab?

[rlueder]

My company recently switched from Okta to Microsoft Authenticator causing the standard Gnome VPN client to not connect anymore, for those with the same issue @vlaci's https://github.com/vlaci/openconnect-sso solved the issue.

[ElectricRCAircraftGuy]

Thank you @rlueder !

I just wrote these detailed instructions on how to install and use openconnect-sso: How to use "openconnect" (via the openconnect-sso wrapper) with SAML and Duo two-factor authentication via Okta Single-Sign-on (SSO)