search

vlaci / openconnect-sso

Wrapper script for OpenConnect supporting Azure AD (SAMLv2) authentication to Cisco SSL-VPNs
GNU General Public License v3.0
280 stars 119 forks source link

Token Verification failure (Azure) #70

Closed petergarbers closed 2 years ago

petergarbers commented 2 years ago

Hi all. The company I work at has just enabled SSO with an authenticator and I'm having issues with it authenticating (Azure). I have tried authenticating with the authenticator app, as well as text message. Both seem to throw the same error

[info     ] Browser exited                 [openconnect_sso.browser.browser]
[debug    ] Sending auth finish request    [openconnect_sso.authenticator] content=b'<?xml version=\'1.0\' encoding=\'UTF-8\'?>\n<config-auth client="vpn" type="auth-reply" aggregate-auth-version="2">\n  <version who="vpn">4.7.00136</version>\n  <device-id>linux-64</device-id>\n  <session-token/>\n  <session-id/>\n  <opaque is-for="sg">\n    <tunnel-group>DefaultWEBVPNGroup</tunnel-group>\n    <auth-method>single-sign-on-v2</auth-method>\n    <config-hash>1624075756240</config-hash>\n  </opaque>\n  <auth>\n    <sso-token></sso-token>\n  </auth>\n</config-auth>\n'
https://vpn2.my-company.com:443 "POST / HTTP/1.1" 200 None
[debug    ] Auth finish response received  [openconnect_sso.authenticator] content=b'<?xml version="1.0" encoding="UTF-8"?>\n<config-auth client="vpn" type="auth-request" aggregate-auth-version="2">\n<opaque is-for="sg">\n<tunnel-group>DefaultWEBVPNGroup</tunnel-group>\n<auth-method>single-sign-on-v2</auth-method>\n<config-hash>1624075756240</config-hash>\n</opaque>\n<auth id="main">\n<message>Please complete the authentication process in the AnyConnect Login window.</message>\n<error id="109">Single sign-on AnyConnect token verification failure.</error>\n<sso-v2-login>https://vpn2-saml.my-company.com/+CSCOE+/saml/sp/login?tgname=DefaultWEBVPNGroup&#x26;acsamlcap=v2</sso-v2-login>\n<sso-v2-login-final>https://vpn2-saml.my-company.com/+CSCOE+/saml_ac_login.html</sso-v2-login-final>\n<sso-v2-logout>https://vpn2-saml.my-company.com/+CSCOE+/saml/sp/logout</sso-v2-logout>\n<sso-v2-logout-final>https://vpn2-saml.my-company.com/+CSCOE+/saml_ac_login.html</sso-v2-logout-final>\n<sso-v2-token-cookie-name>acSamlv2Token</sso-v2-token-cookie-name>\n<sso-v2-error-cookie-name>acSamlv2Error</sso-v2-error-cookie-name>\n<form>\n<input type="sso" name="sso-token"></input>\n</form>\n</auth>\n</config-auth>\n'
[info     ] Response received              [openconnect_sso.authenticator] id=main message=Please complete the authentication process in the AnyConnect Login window. title=
[error    ] Could not finish authentication. Invalid response type in current state [openconnect_sso.authenticator] response=AuthRequestResponse(auth_id='main', auth_title='', auth_message='Please complete the authentication process in the AnyConnect Login window.', auth_error='Single sign-on AnyConnect token verification failure.', login_url='https://vpn2-saml.my-company.com/+CSCOE+/saml/sp/login?tgname=DefaultWEBVPNGroup&acsamlcap=v2', login_final_url='https://vpn2-saml.my-company.com/+CSCOE+/saml_ac_login.html', token_cookie_name='acSamlv2Token', opaque=<Element opaque at 0x7fe4fd5f0f80>)
Traceback (most recent call last):
  File "/usr/bin/openconnect-sso", line 33, in <module>
    sys.exit(load_entry_point('openconnect-sso==0.7.3', 'console_scripts', 'openconnect-sso')())
  File "/usr/lib/python3.9/site-packages/openconnect_sso/cli.py", line 169, in main
    return app.run(args)
  File "/usr/lib/python3.9/site-packages/openconnect_sso/app.py", line 34, in run
    auth_response, selected_profile = asyncio.get_event_loop().run_until_complete(
  File "/usr/lib/python3.9/asyncio/base_events.py", line 642, in run_until_complete
    return future.result()
  File "/usr/lib/python3.9/site-packages/openconnect_sso/app.py", line 139, in _run
    auth_response = await authenticate_to(
  File "/usr/lib/python3.9/site-packages/openconnect_sso/authenticator.py", line 50, in authenticate
    raise AuthenticationError(response)
openconnect_sso.authenticator.AuthenticationError: AuthRequestResponse(auth_id='main', auth_title='', auth_message='Please complete the authentication process in the AnyConnect Login window.', auth_error='Single sign-on AnyConnect token verification failure.', login_url='https://vpn2-saml.my-company.com/+CSCOE+/saml/sp/login?tgname=DefaultWEBVPNGroup&acsamlcap=v2', login_final_url='https://vpn2-saml.my-company.com/+CSCOE+/saml_ac_login.html', token_cookie_name='acSamlv2Token', opaque=<Element opaque at 0x7fe4fd5f0f80>)

You can find the entire output here: https://gist.github.com/petergarbers/e43ed8ecd2e82baed08b54b64514e291

I'm really unsure how to proceed. Any guidance would be very welcomed

mdlam92 commented 2 years ago

I was having this issue also, but I stopped specifying the --user argument and it started working, i think its something to do with microsoft's webpage and this utility's qt web injection stuffs

petergarbers commented 2 years ago

@mdlam92 This fixed my issue. Thanks so much