SAMLLoginWindow not rendering the login iframe anymore - showing white screen

[joeesteves]

Hey @yuezk, thanks for this wonderful app. It was a life saver. But it sopped working all of a sudden. Probably related to OKTA or chrome changes.
The provider is OKTA

If I reload the white page (with right click: reload) it show the login form.. but after succesfully login it can't hear the authentication result.. and opens the white screen again

[yuezk]

@joeesteves Would you mind trying the new client?

I'm rewriting this client using Tauri (the current progress is roughly 80%) on the refactor branch. You can follow the instructions on the README of that branch.

Can you help me verify whether it is reproducible on the new client? Thanks.

[joeesteves]

Hey @yuezk, thanks for so quick response.

Well here is my feedback on the new branch attemp.

1) needed to add some extra dependencies to build tauri. Here is a PR with the one I needed to add. https://github.com/yuezk/GlobalProtect-openconnect/pull/248

2) The webview render correctly now, it also goes well to the 2A step. But at the end is throws an error and failed to authenticate. Not sure if it's related to the client.. seems to be failing on OKTA side. The weird thing is that it was working before and It also still works on the Palo Alto GlobalProtect Client on Mac. Let

On the service side.. It says found invalid token... 😕 .. but then got got auth data successfully, closing window

Any clue on where to go from here.

Thanks

[yuezk]

Have you retried it more times?

[joeesteves]

Yes, I tryied multiple times. The only difference is that first time it asked for A2F (a google authenticator token), further attempts no. But at the end it was always showing me that message 👇🏼 (only for 1 sec) and the window closes.

[yuezk]

Can you help change the log level to debug, and say what are logged? Thanks.

https://github.com/yuezk/GlobalProtect-openconnect/blob/94a2cd28861d5bb13115796131b631b52fd45278/gpgui/src-tauri/src/main.rs#L20

[joeesteves]

2023-08-03][14:57:38][INFO][app::setup] Using custom OpenSSL config
[2023-08-03][14:57:38][INFO][gpcommon::client] Connecting to the background service...
[2023-08-03][14:57:38][INFO][gpcommon::client] Connected to the background service
[2023-08-03][14:57:48][DEBUG][attohttpc] trying to connect to *****.*********.com:443
[2023-08-03][14:57:49][DEBUG][attohttpc] DNS returned only one address, using fast path
[2023-08-03][14:57:49][DEBUG][attohttpc] POST /global-protect/prelogin.esp?kerberos-support=yes HTTP/1.1
[2023-08-03][14:57:49][DEBUG][attohttpc] writing out body of length 119
[2023-08-03][14:57:49][DEBUG][attohttpc] creating a length body reader
[2023-08-03][14:57:49][DEBUG][attohttpc] creating plain reader
[2023-08-03][14:57:49][DEBUG][attohttpc] status code 200
[2023-08-03][14:57:49][INFO][app::auth] Starting SAML login
[2023-08-03][14:57:49][INFO][app::auth] Processing auth request: AuthRequest { saml_binding: Post, saml_request: ********** }
[2023-08-03][14:57:49][INFO][app::auth] Monitoring auth events
[2023-08-03][14:57:49][INFO][app::auth] Loading SAML request as HTML
[2023-08-03][14:57:49][WARN][app::utils] Error redacting URL: a cannot-be-a-base URL doesn’t have a host to set
[2023-08-03][14:57:49][INFO][app::auth] Loaded URI: about:blank
[2023-08-03][14:57:49][DEBUG][app::auth] Token not found in HTTP headers, trying to read from HTML
[2023-08-03][14:57:49][DEBUG][app::auth] Error reading auth data from HTML: TokenNotFound
[2023-08-03][14:57:49][INFO][app::auth] Token not found, showing window in 3 seconds
[2023-08-03][14:57:51][INFO][app::auth] Loaded URI: https://redacted/app/panw_globalprotect/exk114vf8kDMsDmXF357/sso/saml
[2023-08-03][14:57:51][DEBUG][app::auth] Token not found in HTTP headers, trying to read from HTML
[2023-08-03][14:57:51][DEBUG][app::auth] Error reading auth data from HTML: TokenNotFound
[2023-08-03][14:57:51][INFO][app::auth] Token not found, showing window in 3 seconds
[2023-08-03][14:57:51][INFO][app::auth] The show window task has been already been scheduled, skipping
[2023-08-03][14:57:52][INFO][app::auth] Timeout expired after 3 seconds, showing window
[2023-08-03][14:57:53][INFO][app::auth] Loaded URI: https://redacted/app/panw_globalprotect/exk114vf8kDMsDmXF357/sso/saml
[2023-08-03][14:57:53][DEBUG][app::auth] Token not found in HTTP headers, trying to read from HTML
[2023-08-03][14:57:53][DEBUG][app::auth] Error reading auth data from HTML: TokenNotFound
[2023-08-03][14:58:04][INFO][app::auth] Showing window after timeout (15 seconds)
[2023-08-03][14:58:04][DEBUG][app::auth] Window is already visible, skipping
[2023-08-03][14:58:09][INFO][app::auth] Loaded URI: https://redacted/login/token/redirect?stateToken=__redacted__
[2023-08-03][14:58:09][DEBUG][app::auth] Token not found in HTTP headers, trying to read from HTML
[2023-08-03][14:58:09][DEBUG][app::auth] Error reading auth data from HTML: TokenNotFound
[2023-08-03][14:58:09][INFO][app::auth] Loaded URI: https://redacted/SAML20/SP/ACS
[2023-08-03][14:58:09][DEBUG][app::auth] Token not found in HTTP headers, trying to read from HTML
[2023-08-03][14:58:09][DEBUG][app::auth] Error reading auth data from HTML: TokenInvalid
[2023-08-03][14:58:09][WARN][app::auth] Attempt #1 failed, found invalid token, retrying
[2023-08-03][14:58:09][INFO][app::auth] Window is not about to show, skipping cancel timeout
[2023-08-03][14:58:09][DEBUG][attohttpc] trying to connect to ******.*********.com:443
[2023-08-03][14:58:09][DEBUG][attohttpc] DNS returned only one address, using fast path
[2023-08-03][14:58:10][DEBUG][attohttpc] POST /global-protect/prelogin.esp?kerberos-support=yes HTTP/1.1
[2023-08-03][14:58:10][DEBUG][attohttpc] writing out body of length 119
[2023-08-03][14:58:10][DEBUG][attohttpc] creating a length body reader
[2023-08-03][14:58:10][DEBUG][attohttpc] creating plain reader
[2023-08-03][14:58:10][DEBUG][attohttpc] status code 200
[2023-08-03][14:58:10][INFO][app::auth] Got auth request from auth-request event, attempt #2
[2023-08-03][14:58:10][INFO][app::auth] Loading SAML request as HTML
[2023-08-03][14:58:10][WARN][app::utils] Error redacting URL: a cannot-be-a-base URL doesn’t have a host to set
[2023-08-03][14:58:10][INFO][app::auth] Loaded URI: about:blank
[2023-08-03][14:58:10][DEBUG][app::auth] Token not found in HTTP headers, trying to read from HTML
[2023-08-03][14:58:10][DEBUG][app::auth] Error reading auth data from HTML: TokenNotFound
[2023-08-03][14:58:11][INFO][app::auth] Loaded URI: https://redacted/app/panw_globalprotect/exk114vf8kDMsDmXF357/sso/saml
[2023-08-03][14:58:11][DEBUG][app::auth] Token not found in HTTP headers, trying to read from HTML
[2023-08-03][14:58:11][DEBUG][app::auth] Error reading auth data from HTML: TokenNotFound
[2023-08-03][14:58:12][INFO][app::auth] Loaded URI: https://redacted/SAML20/SP/ACS
[2023-08-03][14:58:12][DEBUG][app::auth] Got auth data from HTTP headers: AuthData { username: Some("joe.*******@***********.com"), prelogin_cookie: **********, portal_userauthcookie: ********** }
[2023-08-03][14:58:12][INFO][app::auth] Got auth data successfully, closing window
[2023-08-03][14:58:12][DEBUG][attohttpc] trying to connect to ******.*********.com:443
[2023-08-03][14:58:12][DEBUG][attohttpc] DNS returned only one address, using fast path
[2023-08-03][14:58:13][DEBUG][attohttpc] POST /global-protect/getconfig.esp HTTP/1.1
[2023-08-03][14:58:13][DEBUG][attohttpc] writing out body of length 421
[2023-08-03][14:58:13][DEBUG][attohttpc] creating a length body reader
[2023-08-03][14:58:13][DEBUG][attohttpc] creating plain reader
[2023-08-03][14:58:13][DEBUG][attohttpc] status code 200

@yuezk I get the Okta login form, enter the credentials and then the window closes

[yuezk]

@joeesteves Just to confirm, do all of these fields username, prelogin_cookie, and portal_userauthcookie has non-empty values? And what's the error banner displayed on the main Window?

[joeesteves]

@yuezk you mean this line 👇🏼

**{ username: Some("joe.*******@***********.com"), prelogin_cookie: **********, portal_userauthcookie: ********** }**

I think they are redacted for security reasons, but not empty.

This is the main window error

[yuezk]

@joeesteves Can you help pull the latest code and help test it with the debug level log again? Thanks.

[joeesteves]

  VITE v4.1.4  ready in 134 ms

  ➜  Local:   http://localhost:5173/
  ➜  Network: use --host to expose
        Info Watching /home/joe/myTools/GlobalProtect-openconnect/gpcommon for changes...
        Info Watching /home/joe/myTools/GlobalProtect-openconnect/gpclient for changes...
        Info Watching /home/joe/myTools/GlobalProtect-openconnect/gpservice for changes...
        Info Watching /home/joe/myTools/GlobalProtect-openconnect/gpgui/src-tauri for changes...
   Compiling app v0.1.0 (/home/joe/myTools/GlobalProtect-openconnect/gpgui/src-tauri)
    Finished dev [unoptimized + debuginfo] target(s) in 11.89s
[2023-08-03][16:12:57][INFO][app::setup] Using custom OpenSSL config
[2023-08-03][16:12:57][INFO][gpcommon::client] Connecting to the background service...
[2023-08-03][16:12:57][INFO][gpcommon::client] Connected to the background service
[2023-08-03][16:13:04][DEBUG][attohttpc] trying to connect to remote.*********.com:443
[2023-08-03][16:13:04][DEBUG][attohttpc] DNS returned only one address, using fast path
[2023-08-03][16:13:05][DEBUG][attohttpc] POST /global-protect/prelogin.esp?kerberos-support=yes HTTP/1.1
[2023-08-03][16:13:05][DEBUG][attohttpc] writing out body of length 119
[2023-08-03][16:13:05][DEBUG][attohttpc] creating a length body reader
[2023-08-03][16:13:05][DEBUG][attohttpc] creating plain reader
[2023-08-03][16:13:05][DEBUG][attohttpc] status code 200
[2023-08-03][16:13:05][INFO][app::auth] Starting SAML login
[2023-08-03][16:13:05][INFO][app::auth] Processing auth request: AuthRequest { saml_binding: Post, saml_request: ********** }
[2023-08-03][16:13:05][INFO][app::auth] Monitoring auth events
[2023-08-03][16:13:05][INFO][app::auth] Loading SAML request as HTML
[2023-08-03][16:13:05][WARN][app::utils] Error redacting URL: a cannot-be-a-base URL doesn’t have a host to set
[2023-08-03][16:13:05][INFO][app::auth] Loaded URI: about:blank
[2023-08-03][16:13:05][DEBUG][app::auth] Token not found in HTTP headers, trying to read from HTML
[2023-08-03][16:13:05][DEBUG][app::auth] Error reading auth data from HTML: TokenNotFound
[2023-08-03][16:13:05][INFO][app::auth] Token not found, showing window in 3 seconds
[2023-08-03][16:13:07][INFO][app::auth] Loaded URI: https://redacted/app/panw_globalprotect/exk114vf8kDMsDmXF357/sso/saml
[2023-08-03][16:13:07][DEBUG][app::auth] Token not found in HTTP headers, trying to read from HTML
[2023-08-03][16:13:07][DEBUG][app::auth] Error reading auth data from HTML: TokenNotFound
[2023-08-03][16:13:07][INFO][app::auth] Token not found, showing window in 3 seconds
[2023-08-03][16:13:07][INFO][app::auth] The show window task has been already been scheduled, skipping
[2023-08-03][16:13:08][INFO][app::auth] Timeout expired after 3 seconds, showing window
[2023-08-03][16:13:09][INFO][app::auth] Loaded URI: https://redacted/app/panw_globalprotect/exk114vf8kDMsDmXF357/sso/saml
[2023-08-03][16:13:09][DEBUG][app::auth] Token not found in HTTP headers, trying to read from HTML
[2023-08-03][16:13:09][DEBUG][app::auth] Error reading auth data from HTML: TokenNotFound
[2023-08-03][16:13:20][INFO][app::auth] Showing window after timeout (15 seconds)
[2023-08-03][16:13:20][DEBUG][app::auth] Window is already visible, skipping
[2023-08-03][16:13:23][INFO][app::auth] Loaded URI: https://redacted/login/token/redirect?stateToken=__redacted__
[2023-08-03][16:13:23][DEBUG][app::auth] Token not found in HTTP headers, trying to read from HTML
[2023-08-03][16:13:23][DEBUG][app::auth] Error reading auth data from HTML: TokenNotFound
[2023-08-03][16:13:24][INFO][app::auth] Loaded URI: https://redacted/SAML20/SP/ACS
[2023-08-03][16:13:24][DEBUG][app::auth] Token not found in HTTP headers, trying to read from HTML
[2023-08-03][16:13:24][DEBUG][app::auth] Error reading auth data from HTML: TokenInvalid
[2023-08-03][16:13:24][WARN][app::auth] Attempt #1 failed, found invalid token, retrying
[2023-08-03][16:13:24][INFO][app::auth] Window is not about to show, skipping cancel timeout
[2023-08-03][16:13:24][DEBUG][attohttpc] trying to connect to remote.*********.com:443
[2023-08-03][16:13:24][DEBUG][attohttpc] DNS returned only one address, using fast path
[2023-08-03][16:13:25][DEBUG][attohttpc] POST /global-protect/prelogin.esp?kerberos-support=yes HTTP/1.1
[2023-08-03][16:13:25][DEBUG][attohttpc] writing out body of length 119
[2023-08-03][16:13:25][DEBUG][attohttpc] creating a length body reader
[2023-08-03][16:13:25][DEBUG][attohttpc] creating plain reader
[2023-08-03][16:13:25][DEBUG][attohttpc] status code 200
[2023-08-03][16:13:25][INFO][app::auth] Got auth request from auth-request event, attempt #2
[2023-08-03][16:13:25][INFO][app::auth] Loading SAML request as HTML
[2023-08-03][16:13:25][WARN][app::utils] Error redacting URL: a cannot-be-a-base URL doesn’t have a host to set
[2023-08-03][16:13:25][INFO][app::auth] Loaded URI: about:blank
[2023-08-03][16:13:25][DEBUG][app::auth] Token not found in HTTP headers, trying to read from HTML
[2023-08-03][16:13:25][DEBUG][app::auth] Error reading auth data from HTML: TokenNotFound
[2023-08-03][16:13:26][INFO][app::auth] Loaded URI: https://redacted/app/panw_globalprotect/exk114vf8kDMsDmXF357/sso/saml
[2023-08-03][16:13:26][DEBUG][app::auth] Token not found in HTTP headers, trying to read from HTML
[2023-08-03][16:13:26][DEBUG][app::auth] Error reading auth data from HTML: TokenNotFound
[2023-08-03][16:13:27][INFO][app::auth] Loaded URI: https://redacted/SAML20/SP/ACS
[2023-08-03][16:13:27][DEBUG][app::auth] Got auth data from HTTP headers: AuthData { username: Some("joe.*******@***********.com"), prelogin_cookie: Some("XVD******************++***+******/***************+******/****2mV"), portal_userauthcookie: None }
[2023-08-03][16:13:27][INFO][app::auth] Got auth data successfully, closing window
[2023-08-03][16:13:27][DEBUG][attohttpc] trying to connect to remote.*********.com:443
[2023-08-03][16:13:27][DEBUG][attohttpc] DNS returned only one address, using fast path
[2023-08-03][16:13:28][DEBUG][attohttpc] POST /global-protect/getconfig.esp HTTP/1.1
[2023-08-03][16:13:28][DEBUG][attohttpc] writing out body of length 429
[2023-08-03][16:13:28][DEBUG][attohttpc] creating a length body reader
[2023-08-03][16:13:28][DEBUG][attohttpc] creating plain reader
[2023-08-03][16:13:28][DEBUG][attohttpc] status code 200

@yuezk done. Seems the portal_user_authcookie is empty

[yuezk]

Yes, but portal_user_authcookie is optional. Looks like the SAML authentication workflow succeeded, while failed to login with the prelogin cookie.

BTW, for the old client, have tried to reset it and try again?

[joeesteves]

yes, I do try reseting the old client with same result. Also try building it for source. But nothing worked for me so far.

failed to login with the prelogin cookie

Yes, that seems to be the issue. But don't get why the prelogin cookie is not valid

Any other ideas 💡 ?

[yuezk]

You could try this client https://github.com/dlenski/gp-saml-gui to see if it works

[joeesteves]

echo *****token****here***** |
        sudo openconnect --protocol=gp '--useragent=PAN GlobalProtect' --allow-insecure-crypto --user=joe.****@****.com --os=linux-64 --usergroup=gateway:prelogin-cookie --passwd-on-stdin ****.*****gatewayurl****.com

The client you suggested worked. Here is the command that finally allow me in the VPN maybe it helps to find a way to make it work on your client. Let me know.

Thanks a lot for the help @yuezk

[hrk]

I have the same issue on my side, using the "old" (current?) Qt project.

In my case I get a samlMethod=REDIRECT to Microsoft (https://login.microsoftonline.com/d539d4bf-5610-471a-afc2-1c76685cfefa/saml2?SAMLRequest=REMOVED&RelayState=REMOVED).

The SAMLLoginWindow "loads" the page, gets a HTTP200 response but the contents seem to be empty.

EDIT: copying the link to an external browser (depending on the browser session) successfully completes the authentication. It seems to be an issue with the proper loading of the page. Switching to the same User-agent as the one used by the browser has no effect.

[yuezk]

Fixed in 2.x.