search

yuezk / GlobalProtect-openconnect

A GlobalProtect VPN client for Linux, written in Rust, based on OpenConnect and Tauri, supports SSO with MFA, Yubikey, and client certificate authentication, etc.
GNU General Public License v3.0
1.36k stars 152 forks source link

You do not have permission to perform the requested action #385

Closed fzakaria closed 3 months ago

fzakaria commented 3 months ago

Describe the bug I get the Okta login screen (Yay!) but I'm hit with the below error when I try to login.

You do not have permission to perform the requested action

Expected behavior A clear and concise description of what you expected to happen.

Screenshots image

Logs

2024-07-03 16:29:55.825 INFO  [366884] [main@24] GlobalProtect started, version: 1.4.9
2024-07-03 16:29:56.012 INFO  [366884] [GPClient::populateGatewayMenu@133] Populating the Switch Gateway menu...
2024-07-03 16:29:59.439 INFO  [366884] [GPClient::populateGatewayMenu@133] Populating the Switch Gateway menu...
2024-07-03 16:30:02.143 INFO  [366884] [GPClient::doConnect@238] Start connecting...
2024-07-03 16:30:02.144 INFO  [366884] [GPClient::doConnect@259] Start portal login...
2024-07-03 16:30:02.146 INFO  [366884] [PortalAuthenticator::authenticate@35] (1/5) attempts, preform portal prelogin at https://confluentinc.gpcloudservice.com/global-protect/prelogin.esp?tmp=tmp&kerberos-support=yes&ipv6-support=yes&clientVer=4100&clientos=Linux
2024-07-03 16:30:02.618 INFO  [366884] [PortalAuthenticator::onPreloginFinished@52] Portal prelogin succeeded.
2024-07-03 16:30:02.618 INFO  [366884] [PreloginResponse::parse@26] Start parsing the prelogin response...
2024-07-03 16:30:02.618 INFO  [366884] [PortalAuthenticator::onPreloginFinished@56] Finished parsing the prelogin response. The region field is: US
2024-07-03 16:30:02.618 INFO  [366884] [PortalAuthenticator::samlAuth@119] Trying to perform SAML login with saml-method POST

DevTools listening on ws://127.0.0.1:12315/devtools/browser/793556d8-e7cb-4012-bdab-5cd8cf725ba2
Remote debugging server started successfully. Try pointing a Chromium-based browser to http://127.0.0.1:12315
2024-07-03 16:30:02.712 INFO  [366884] [SAMLLoginWindow::onResponseReceived@69] Trying to receive authentication cookie from data:text/html;charset=<REDACTED>
2024-07-03 16:30:02.712 INFO  [366884] [SAMLLoginWindow::checkSamlResult@80] Checking the authentication result...
2024-07-03 16:30:03.053 INFO  [366884] [SAMLLoginWindow::onResponseReceived@69] Trying to receive authentication cookie from https://confluent.okta.com/app/palo_alto_networks_prisma_access/exkb6vf3wiq7IzxmX357/sso/saml
2024-07-03 16:30:03.053 INFO  [366884] [SAMLLoginWindow::checkSamlResult@80] Checking the authentication result...
2024-07-03 16:30:03.188 INFO  [366884] [SAMLLoginWindow::onLoadFinished@109] Load finished https://confluent.okta.com/app/palo_alto_networks_prisma_access/exkb6vf3wiq7IzxmX357/sso/saml
2024-07-03 16:30:03.233 INFO  [366884] [SAMLLoginWindow::onResponseReceived@69] Trying to receive authentication cookie from https://login.okta.com/discovery/iframe.html
2024-07-03 16:30:03.233 INFO  [366884] [SAMLLoginWindow::checkSamlResult@80] Checking the authentication result...
2024-07-03 16:30:12.321 INFO  [366884] [SAMLLoginWindow::SAMLLoginWindow@31] MAX_WAIT_TIME exceeded, display the login window.
2024-07-03 16:31:39.138 INFO  [366884] [SAMLLoginWindow::onResponseReceived@69] Trying to receive authentication cookie from https://confluent.okta.com/auth/services/devicefingerprint
2024-07-03 16:31:39.138 INFO  [366884] [SAMLLoginWindow::checkSamlResult@80] Checking the authentication result...
2024-07-03 16:31:43.329 INFO  [366884] [SAMLLoginWindow::onResponseReceived@69] Trying to receive authentication cookie from https://confluent.okta.com/auth/services/devicefingerprint
2024-07-03 16:31:43.329 INFO  [366884] [SAMLLoginWindow::checkSamlResult@80] Checking the authentication result...
"Object does not exist at path “/org/freedesktop/NetworkManager/ActiveConnection/15”"

Environment:

Additional context I'm using a quite old version via Nixpkgs 1.4.9 https://github.com/NixOS/nixpkgs/blob/nixos-24.05/pkgs/tools/networking/globalprotect-openconnect/default.nix

Happy to discuss including a newer version in Nixpkgs if you are seeking that contribution as well.

yuezk commented 3 months ago

Hi @fzakaria This error message is raised by the IDP, which is out of the scope of the client. You may need to contact to your administrator with this error message.

fzakaria commented 3 months ago

Sorry for the bad issue then. I'll try to investigate and close.

If you have any tips let me know. I figure it's something like needing the HIP report or something ?