search

vlaci / openconnect-sso

Wrapper script for OpenConnect supporting Azure AD (SAMLv2) authentication to Cisco SSL-VPNs
GNU General Public License v3.0
280 stars 119 forks source link

Error on login XMLSyntaxError #74

Open germanztz opened 2 years ago

germanztz commented 2 years ago

sso

uname -a:

Linux **** 5.4.0-92-generic #103-Ubuntu SMP Fri Nov 26 16:13:00 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

Command

openconnect-sso -l debug --server $VPNURL$/$VPNGROUP$ --user $USER$

Response

openconnect-sso -l debug --server $VPNURL$/$VPNGROUP$ --user $USER$
Using selector: EpollSelector
Loading KWallet
Loading SecretService
Loading Windows
Loading chainer
Loading libsecret
Loading macOS
[info     ] Authenticating to VPN endpoint [openconnect_sso.app] address=$VPNURL$/$VPNGROUP$ name=
Starting new HTTPS connection (1): $VPNURL$:443
https://$VPNURL$:443 "GET /$VPNGROUP$ HTTP/1.1" 302 0
Resetting dropped connection: $VPNURL$
https://$VPNURL$:443 "GET /dana-na/auth/url_sN53kEnkUiIWOZmm/welcome.cgi HTTP/1.1" 302 None
https://$VPNURL$:443 "GET /dana-na/auth/url_sN53kEnkUiIWOZmm/login.cgi?realm=$VPNGROUP$ HTTP/1.1" 302 None
Starting new HTTPS connection (1): $COMPANY$.$2FAPROVIDER$.com:443
https://$COMPANY$.$2FAPROVIDER$.com:443 "GET /app/389858/sso?SAMLRequest=pZLLTsMwEEV%2FJfI%2BcR6tmlpNUKFCVOJRQcWCDZo6Q2spsY3HofD35IFE2XTD%0A2nc851zNgqCprVi2%2FqAf8b1F8sFnU2sSw0PBWqeFAVIkNDRIwkvxtLy7FWkU%0AC%2BuMN9LULFh1c0qDV0YX7OC9JcH5jhqCyLuWPNbYRNI0HKzlWT7PpzknMiy4%0ANk7isL1gMQvWq4K9zrN5jlhJQJSTWEIsJ%2FCWw3Q6m0G1yyZdjKjFtSYP2hcs%0AjdM0jJMwSbZJLOKJyJIXFmx%2B4C6VrpTenzfZjSESN9vtJtw8PG2HDz5Uhe6%2B%0AS%2F9KHY%2FHyBrnoY5GP42eV6Ah1MChE%2BF9cSHqyhqlfST36sIWZKcseEZHQ0Hd%0ARlYu%2BpwYTNxJ5ec5gQhd3zIr%2Fw204CcEI44Vvex6tTG1kl%2FBsq7N8coh%2BK6A%0AhPFyHPl7LuU3%0A&RelayState=https%3A%2F%2F$VPNURL$%2F$VPNGROUP$ HTTP/1.1" 200 None
[debug    ] Auth target url                [openconnect_sso.authenticator] url=https://$COMPANY$.$2FAPROVIDER$.com/app/389858/sso
[debug    ] Sending auth init request      [openconnect_sso.authenticator] content=b'<?xml version=\'1.0\' encoding=\'UTF-8\'?>\n<config-auth client="vpn" type="init" aggregate-auth-version="2">\n  <version who="vpn">4.7.00136</version>\n  <device-id>linux-64</device-id>\n  <group-select></group-select>\n  <group-access>https://$COMPANY$.$2FAPROVIDER$.com/app/389858/sso</group-access>\n  <capabilities>\n    <auth-method>single-sign-on-v2</auth-method>\n  </capabilities>\n</config-auth>\n'
Starting new HTTPS connection (1): $COMPANY$.$2FAPROVIDER$.com:443
https://$COMPANY$.$2FAPROVIDER$.com:443 "POST /app/389858/sso HTTP/1.1" 200 None
[debug    ] Auth init response received    [openconnect_sso.authenticator] content=b'\n<!DOCTYPE html>\n<html lang="en">\n<head>\n  <meta charset="utf-8" />\n  <meta name="viewport" content="width=device-width, initial-scale=1.0" />\n  <title>$2FAPROVIDER$ Login</title><link href="/images/b6cb5943dcb44685d5cac99ec47f6536db67fc8e7d2b8fb8292cf9e73252d26e_$2FAPROVIDER$-favicon.png" rel="shortcut icon" type="image/png" /><link href="/css/5de83301260b81418262eef3c23d40fa672b1c552126aa33709961a29d11fe11_login.min.css" rel="stylesheet" type="text/css" /></head>\n\n<body class="bgcover">\n  \n  <div class="login-wrap">\n    <div class="panel card">\n      <div class="panel-heading"><div class="brand"><img style="max-width:280px;max-height:150px" src="/org/11896af62a6d28ec00b33beef56bc8538a46af93845ecebc37aa13a0797c27ae.png" /></div></div>\n      <div class="panel-body"><form action="/login" method="POST" name="loginForm" id="loginForm" role="form" novalidate>\n          <input type="hidden" name="token" value="TuTay7cyQSm8XoBmcvukdjHo-lQ:1641895471341" />\n          <input type="hidden" name="target_method" value="POST" />\n          <input type="hidden" name="target_url" value="/app/389858/sso" />\n          <input type="hidden" name="target_postdata" value="%3C%3Fxml&#43;version=%271.0%27&#43;encoding%3D%27UTF-8%27%3F%3E%0A%3Cconfig-auth&#43;client%3D%22vpn%22&#43;type%3D%22init%22&#43;aggregate-auth-version%3D%222%22%3E%0A&#43;&#43;%3Cversion&#43;who%3D%22vpn%22%3E4.7.00136%3C%2Fversion%3E%0A&#43;&#43;%3Cdevice-id%3Elinux-64%3C%2Fdevice-id%3E%0A&#43;&#43;%3Cgroup-select%3E%3C%2Fgroup-select%3E%0A&#43;&#43;%3Cgroup-access%3Ehttps%3A%2F%2F$COMPANY$.$2FAPROVIDER$.com%2Fapp%2F389858%2Fsso%3C%2Fgroup-access%3E%0A&#43;&#43;%3Ccapabilities%3E%0A&#43;&#43;&#43;&#43;%3Cauth-method%3Esingle-sign-on-v2%3C%2Fauth-method%3E%0A&#43;&#43;%3C%2Fcapabilities%3E%0A%3C%2Fconfig-auth%3E%0A" />\n          <input type="hidden" name="target_opt" value="{&#34;app_id&#34;:389858}" /> \n          <input type="hidden" name="target_urlhash" value="" />\n\n          \n          <button type="submit" name="use_password" value="true" tabindex="-1" style="overflow:visible;height:0;width:0;margin:0;border:0;padding:0;display:block;border:none;"></button>\n\n          <div id="user-cert" style="display:none">\n            \n            <p>You are authenticated as:</p>\n            <div class="well well-sm">\n              <p><i class="fa fa-fw fa-lg fa-user"></i>&nbsp;&nbsp;<strong class="user-firstname-name">...</strong></p>\n              <p><i class="fa fa-fw fa-lg fa-envelope"></i>&nbsp;&nbsp;<span class="user-email">...</span></p>\n              <p><i class="fa fa-fw fa-lg fa-asterisk"></i>&nbsp;&nbsp;User Certificate</p>\n            </div>\n            <p>\n              <button type="button" class="btn btn-primary btn-lg">Use this identity</button>\n            </p>\n          </div>\n          <div id="user-spnego" style="display:none">\n            \n            <p>You are authenticated as:</p>\n            <div class="well well-sm">\n              <p><i class="fa fa-fw fa-lg fa-user"></i>&nbsp;&nbsp;<strong class="user-firstname-name">...</strong></p>\n              <p><i class="fa fa-fw fa-lg fa-envelope"></i>&nbsp;&nbsp;<span class="user-email">...</span></p>\n              <p><i class="fa fa-fw fa-lg fa-asterisk"></i>&nbsp;&nbsp;Integrated Windows Authentication</p>\n            </div>\n            <p>\n              <button type="button" class="btn btn-primary btn-lg">Use this identity</button>\n            </p>\n          </div>\n          <div id="showAltAccount" style="display:none">\n            <br/>\n            <a href="#" onclick="$(\'#altAccount\').toggle()">Use another account</a><br/>\n          </div>\n\n          <div id="altAccount">\n            <div class="inputBlock">\n              <div class="form-group inputWrapper">\n                <input type="email" class="login form-control login-user-en" name="username" id="userName" placeholder="Username or email" autofocus /><label for="userName" class="input-icon-tlm"><i class="fa fa-user-o"></i></label></div>\n              <div class="form-group inputWrapper">\n                <input type="password" class="login form-control" name="password" id="userPassword" placeholder="Password"  /><label for="userPassword" class="input-icon-tlm"><i class="fa fa-unlock-alt"></i></label></div>\n            </div>\n            <div class="form-group"><div class="passwordOptBlock"><div class="checkbox remember-me" title="Automatically fill your email on this computer">\n                  <label><input type="checkbox" name="remember_me"  checked id="checkbox-form" />Remember me</label>\n                </div><div class="forgotBlock1"><a class="forgot-password" href="https://$COMPANY$.$2FAPROVIDER$.com/forgot?s=%2Fapp%2F389858%2Fsso">Forgot your password?</a></div></div><div class="connexionBlock">\n                <button type="submit" name="use_password" value="true" class="btn btn-primary login-button">Sign in</button>\n              </div>\n            </div><div class="forgotBlock2">\n              <a class="forgot-password" href="https://$COMPANY$.$2FAPROVIDER$.com/forgot?s=%2Fapp%2F389858%2Fsso">Forgot your password?</a>\n            </div></div>\n        </form>\n        \n        <div class="errorBox" id="errorBox">\n          \n        </div>\n        </div>\n    </div>\n  </div>\n  <footer class="footer-tlm">\n  <div class="rightFooter-tlm">\n    <span class="$2FAPROVIDER$-tlm">secured by&nbsp;&nbsp;</span>\n    <img src="/images/92abca958ad9c16d36d43b012023403fca28fdac1c755eeb9feabe0901867e26_wallix_footer.png" alt="$2FAPROVIDER$" class="$2FAPROVIDER$Logo-tlm" />\n  </div>\n</footer>\n  <script src="/js/2359d383bf2d4ab65ebf7923bdf74ce40e4093f6e58251b395a64034b3c39772_jquery.min.js"></script>\n  <!--[if lt IE 10]>\n  \n  <script src="/js/4c141f368da1152af24808794c501b65be66f1550e1b0b2f6c10578fb945eaf2_placeholders.min.js"></script>\n  <![endif]-->\n  \n  \n  <script>\n    $("input[name=target_urlhash]").val(window.location.hash);\n  </script>\n  \n  \n  </body>\n</html>'
Traceback (most recent call last):
  File "/home/$USER$/.local/bin/openconnect-sso", line 8, in <module>
    sys.exit(main())
  File "/home/$USER$/.local/pipx/venvs/openconnect-sso/lib/python3.8/site-packages/openconnect_sso/cli.py", line 169, in main
    return app.run(args)
  File "/home/$USER$/.local/pipx/venvs/openconnect-sso/lib/python3.8/site-packages/openconnect_sso/app.py", line 34, in run
    auth_response, selected_profile = asyncio.get_event_loop().run_until_complete(
  File "/usr/lib/python3.8/asyncio/base_events.py", line 616, in run_until_complete
    return future.result()
  File "/home/$USER$/.local/pipx/venvs/openconnect-sso/lib/python3.8/site-packages/openconnect_sso/app.py", line 139, in _run
    auth_response = await authenticate_to(
  File "/home/$USER$/.local/pipx/venvs/openconnect-sso/lib/python3.8/site-packages/openconnect_sso/authenticator.py", line 22, in authenticate
    response = self._start_authentication()
  File "/home/$USER$/.local/pipx/venvs/openconnect-sso/lib/python3.8/site-packages/openconnect_sso/authenticator.py", line 67, in _start_authentication
    return parse_response(response)
  File "/home/$USER$/.local/pipx/venvs/openconnect-sso/lib/python3.8/site-packages/openconnect_sso/authenticator.py", line 137, in parse_response
    xml = objectify.fromstring(resp.content)
  File "src/lxml/objectify.pyx", line 1998, in lxml.objectify.fromstring
  File "src/lxml/etree.pyx", line 3252, in lxml.etree.fromstring
  File "src/lxml/parser.pxi", line 1912, in lxml.etree._parseMemoryDocument
  File "src/lxml/parser.pxi", line 1800, in lxml.etree._parseDoc
  File "src/lxml/parser.pxi", line 1141, in lxml.etree._BaseParser._parseDoc
  File "src/lxml/parser.pxi", line 615, in lxml.etree._ParserContext._handleParseResultDoc
  File "src/lxml/parser.pxi", line 725, in lxml.etree._handleParseResult
  File "src/lxml/parser.pxi", line 654, in lxml.etree._raiseParseError
  File "<string>", line 14
lxml.etree.XMLSyntaxError: Specification mandates value for attribute novalidate, line 14, column 121
dwmw2 commented 2 years ago

That looks like a Pulse (or Juniper NC) server, not AnyConnect.