Closed mikeyjk closed 2 years ago
Could you post the XML response received from the server? It is logged on debug level (-l debug
)
I'm sorry, I've moved on from this issue - thank you for your time anyway, apologies for noise
I have exactly this same issue and when running with -l debug
what I get is
[debug ] Auth init response received [openconnect_sso.authenticator] content=b'<?xml version="1.0" encoding="UTF-8"?>\n<config-auth client="vpn" type="auth-request" aggregate-auth-version="2">\n<opaque is-for="sg">\n<tunnel-group>RemoteAccess</tunnel-group>\n<auth-method>single-sign-on-v2</auth-method>\n<group-alias>RemoteAccess</group-alias>\n<config-hash>1655368651289</config-hash>\n</opaque>\n<auth id="main">\n<title>Login</title>\n<message>Please complete the authentication process in the AnyConnect Login window.</message>\n<banner>omitted</banner>\n<sso-v2-login>https://vpn4.ucl.ac.uk/+CSCOE+/saml/sp/login?tgname=RemoteAccess&acsamlcap=v2</sso-v2-login>\n<sso-v2-login-final>https://vpn4.ucl.ac.uk/+CSCOE+/saml_ac_login.html</sso-v2-login-final>\n<sso-v2-logout>https://vpn4.ucl.ac.uk/+CSCOE+/saml/sp/logout</sso-v2-logout>\n<sso-v2-logout-final>https://vpn4.ucl.ac.uk/+CSCOE+/saml_ac_login.html</sso-v2-logout-final>\n<sso-v2-token-cookie-name>acSamlv2Token</sso-v2-token-cookie-name>\n<sso-v2-error-cookie-name>acSamlv2Error</sso-v2-error-cookie-name>\n<form>\n<input type="sso" name="sso-token"></input>\n<select name="group_list" label="GROUP:">\n<option selected="true">RemoteAccess</option>\n<option>bt-vpn.ucl.ac.uk</option>\n</select>\n</form>\n</auth>\n<host-scan>\n<host-scan-ticket></host-scan-ticket>\n<host-scan-token></host-scan-token>\n<host-scan-base-uri>/CACHE</host-scan-base-uri>\n<host-scan-wait-uri>/+CSCOE+/sdesktop/wait.html</host-scan-wait-uri>\n</host-scan>\n</config-auth>\n'
The error that makes it crash looks like this:
[error ] Required attributes not found in response ("no such child: sso-v2-login", does this endpoint do SSO?), exiting [openconnect_sso.app]
@vlaci
same issue as @jmcarcell here—any updates?
[debug ] Auth finish response received [openconnect_sso.authenticator] content=b'<?xml version="1.0" encoding="UTF-8"?>\n<config-auth client="vpn" type="auth-request" aggregate-auth-version="2">\n<opaque is-for="sg">\n<tunnel-group>ANYCONNECT_MFA_ISE_TUNNEL_GROUP</tunnel-group>\n<auth-method>single-sign-on-v2</auth-method>\n<group-alias>NAMEREPLACED_Remote_Access_VPN</group-alias>\n<config-hash>SOMENUMBERS</config-hash>\n</opaque>\n<auth id="main">\n<title>Login</title>\n<message>Please enter your username and password.</message>\n<banner></banner>\n<error id="13" param1="" param2="">Unable to complete connection: Cisco Secure Desktop not installed on the client</error>\n<form>\n<select name="group_list" label="GROUP:">\n<option selected="true">NAMEREPLACED_Remote_Access_VPN</option>\n</select>\n</form>\n</auth>\n<host-scan>\n<host-scan-ticket>SOMETICKETNUMBER</host-scan-ticket>\n<host-scan-token>SOMETOKEN</host-scan-token>\n<host-scan-base-uri>/CACHE</host-scan-base-uri>\n<host-scan-wait-uri>/+CSCOE+/sdesktop/wait.html</host-scan-wait-uri>\n</host-scan>\n</config-auth>\n'
[error ] Required attributes not found in response ("no such child: sso-v2-login", does this endpoint do SSO?), exiting [openconnect_sso.app]
Could you post the XML response received from the server? It is logged on debug level (
-l debug
)
I am running into the same issue. The <auth-method>
tag contains "single-sign-on-v2".
b'<?xml version="1.0" encoding="UTF-8"?>\n<config-auth client="vpn" type="auth-request" aggregate-auth-version="2">\n<opaque is-for="sg">\n<tunnel-group>Default</tunnel-group>\n<auth-method>single-sign-on-v2</auth-method>\n<group-alias>Default</group-alias>\n<config-hash>1666692613599</config-hash>\n</opaque>\n<auth id="main">\n<title>Login</title>\n<message>Please enter your username and password.</message>\n<banner></banner>\n<form>\n<input type="text" name="username" label="Username:"></input>\n<input type="password" name="password" label="Password:"></input>\n<select name="group_list" label="GROUP:">\n<option selected="true">Default</option>\n<option>COMPANYNAME</option>\n</select>\n</form>\n</auth>\n</config-auth>\n'
Its fair to say that cisco server is doing some integrity checks:
<error id="13" param1="" param2="">
Unable to complete connection: Cisco Secure Desktop not installed on the client
</error>
I wonder what magic is required to be sent in the post request for them to say that Cisco Secure Desktop is installed.
Hey all,
Thanks very much for this project, it has the potential to save me some pain. I've just noticed my attempt at using it is failing, presumably because the server is responding to me with:
Rather than the anticipated
ssov2-login
fromhttps://github.com/vlaci/openconnect-sso/blob/master/openconnect_sso/authenticator.py#L155
I'm trying to play around with re-compiling, naively only updating that string +
login_final_url
, to then see if/where it blows up after that:)But, of course, I'm running into issues with
nix
on my local machine. I'll keep trying, but if anyone has any suggestions I'd really appreciate.Thanks for your time
Edit/Update:
Bah, apologies, I clearly have 0 idea what I'm talking about, I made the change I referenced above, to receive an identical error message, and to also notice the field I was referring to /is/ being anticipated correctly:
Error message after making my change:
From
authenticator.py
:So the
auth-method
my server is responding with /is/ anticipated, but nonetheless I'm getting the error: