Openconnect - Palo Alto - Okta SSO / MFA

[Daniel Lenski]

On Fri, Apr 13, 2018 at 8:31 AM, Luis l <chelapa at hotmail.com> wrote:
> After digging around i THINK its a part of this?
>
> https://github.com/arthepsy/pan-globalprotect-okta/
>
> I downloaded it added the totp of that moment, removed pw to prompt me instead of conf and i get the below from debug = 1. My "Guess" if this worked its to be used against the command i sent prior and piped into the openconnect cmd?
>
> ---
> # status:
> MFA_REQUIRED
> ---
> err: no factor url found

Luis,

I have a lot of trouble following your explanations here, but… yes,
you need to figure out a way to generate the appropriate cookie and
submit it to openconnect in place of the password, using the new
mechanism that I added in the fun_with_cookies branch, as described on
Github.

I don't use Okta, can't use Okta, and know nothing about Okta. I do
not have access to a GP VPN that uses this kind of authentication
flow. So I cannot test the authentication scripts in any way.

All I can do is provide a mechanism for openconnect to accept the
cookie produced by the alternative authentication flows, and rely on
users to tell me if it solves the problem.

Dan