Error after SSO Auth (Azure) is complete

[bjornarfjelldal]

Running

openconnect-sso --server vpnserver --user myuser -l debug

Goes through SSO with autocomplete user/password - and after completing 2FA verification, this happens:

[info     ] Browser exited                 [openconnect_sso.browser.browser] 
[debug    ] Sending auth finish request    [openconnect_sso.authenticator] content=b'<?xml version=\'1.0\' encoding=\'UTF-8\'?>\n<config-auth client="vpn" type="auth-reply" aggregate-auth-version="2">\n  <version who="vpn">4.7.00136</version>\n  <device-id>linux-64</device-id>\n  <session-token/>\n  <session-id/>\n  <opaque is-for="sg">\n    <tunnel-group>saml</tunnel-group>\n    <auth-method>single-sign-on-v2</auth-method>\n    <config-hash>1658396513329</config-hash>\n  </opaque>\n  <auth>\n    <sso-token></sso-token>\n  </auth>\n</config-auth>\n'
https://vpnserver:443 "POST / HTTP/1.1" 200 None
[debug    ] Auth finish response received  [openconnect_sso.authenticator] content=b'<?xml version="1.0" encoding="UTF-8"?>\n<config-auth client="vpn" type="auth-request" aggregate-auth-version="2">\n<opaque is-for="sg">\n<tunnel-group>saml</tunnel-group>\n<auth-method>single-sign-on-v2</auth-method>\n<config-hash>1658396513329</config-hash>\n</opaque>\n<auth id="main">\n<message>Please complete the authentication process in the AnyConnect Login window.</message>\n<error id="109">Single sign-on AnyConnect token verification failure.</error>\n<sso-v2-login>https://vpnserver/+CSCOE+/saml/sp/login?tgname=saml&#x26;acsamlcap=v2</sso-v2-login>\n<sso-v2-login-final>https://vpnserver/+CSCOE+/saml_ac_login.html</sso-v2-login-final>\n<sso-v2-logout>https://vpnserver/+CSCOE+/saml/sp/logout</sso-v2-logout>\n<sso-v2-logout-final>https://vpnserver/+CSCOE+/saml_ac_login.html</sso-v2-logout-final>\n<sso-v2-token-cookie-name>acSamlv2Token</sso-v2-token-cookie-name>\n<sso-v2-error-cookie-name>acSamlv2Error</sso-v2-error-cookie-name>\n<form>\n<input type="sso" name="sso-token"></input>\n</form>\n</auth>\n</config-auth>\n'
[info     ] Response received              [openconnect_sso.authenticator] id=main message=Please complete the authentication process in the AnyConnect Login window. title=
[error    ] Could not finish authentication. Invalid response type in current state [openconnect_sso.authenticator] response=AuthRequestResponse(auth_id='main', auth_title='', auth_message='Please complete the authentication process in the AnyConnect Login window.', auth_error='Single sign-on AnyConnect token verification failure.', login_url='https://vpnserver/+CSCOE+/saml/sp/login?tgname=saml&acsamlcap=v2', login_final_url='https://vpnserver/+CSCOE+/saml_ac_login.html', token_cookie_name='acSamlv2Token', opaque=<Element opaque at 0x7fdc51360ac0>)
Traceback (most recent call last):
  File "/opt/miniconda3/bin/openconnect-sso", line 8, in <module>
    sys.exit(main())
  File "/opt/miniconda3/lib/python3.9/site-packages/openconnect_sso/cli.py", line 169, in main
    return app.run(args)
  File "/opt/miniconda3/lib/python3.9/site-packages/openconnect_sso/app.py", line 34, in run
    auth_response, selected_profile = asyncio.get_event_loop().run_until_complete(
  File "/opt/miniconda3/lib/python3.9/asyncio/base_events.py", line 642, in run_until_complete
    return future.result()
  File "/opt/miniconda3/lib/python3.9/site-packages/openconnect_sso/app.py", line 139, in _run
    auth_response = await authenticate_to(
  File "/opt/miniconda3/lib/python3.9/site-packages/openconnect_sso/authenticator.py", line 50, in authenticate
    raise AuthenticationError(response)
openconnect_sso.authenticator.AuthenticationError: AuthRequestResponse(auth_id='main', auth_title='', auth_message='Please complete the authentication process in the AnyConnect Login window.', auth_error='Single sign-on AnyConnect token verification failure.', login_url='https://vpnserver/+CSCOE+/saml/sp/login?tgname=saml&acsamlcap=v2', login_final_url='https://vpnserver/+CSCOE+/saml_ac_login.html', token_cookie_name='acSamlv2Token', opaque=<Element opaque at 0x7fdc51360ac0>)

I tried some tips from #57 without any luck, namely

https://github.com/vlaci/openconnect-sso/issues/57#issuecomment-854768168

and

https://github.com/vlaci/openconnect-sso/issues/57#issuecomment-854466649

Since the error message is different, I open a new issue.

Running this on MacOS Big Sur 12.5.

Any tips?

[elenhinan]

I got the same exect same error, but managed to get it to work after importing the anyconnect profile using openconnect-sso -p /opt/cisco/anyconnect/profile/VPNprofile.xml I think the only difference is that I didn't specify usergroup manually. Running in an ubuntu docker, authenticating via microsoft 365 two-factor.

edit: I get error message on the first run, second run it connects..

[sam-sla]

For us in our organization we had to stop passing the username in the cli as Azure does a stricter check apparently. Also make sure you have the username removed/commented from .config/openconnect-sso/config.toml

[chenming1986]

Thanks @sam-sla ! The solution works for me.

A further look seems to indicate my organization (or Azure) now checks how quickly the "sign in" button is clicked. If it's too quickly, the authentication fails. In my case, I managed to work around it by replacing the following lines in ~/.config/openconnect-sso/config.toml

[[auto_fill_rules."https://*"]]
selector = "input[type=submit]"
action = "click"

with

[[auto_fill_rules."https://*"]]
selector = "input[value=Next]"
action = "click"

[[auto_fill_rules."https://*"]]
selector = "input[value=Yes]"
action = "click"

so that the saved username and password still work, only the "sign in" button needs to be clicked manually.

[chenming1986]

In case someone would like to automate the authentication process before the official fix is out, another workaround is to add a delay before clicking the "sign in" button:

Change https://github.com/vlaci/openconnect-sso/blob/4430cb09aefe15108e5f3b40b94ed792fbe9548b/openconnect_sso/browser/webengine_process.py#L257

to: f"""var elem = document.querySelector({selector}); if (elem) {{ var click_delay=0; if (elem.value == "Sign in") {{click_delay = 1000;}} elem.dispatchEvent(new Event("focus")); setTimeout(function() {{ elem.click(); }}, click_delay); }}"""