unknown form - what can I do ?

Daniel Lenski dlenski at gmail.com
Sun Aug 7 18:00:25 PDT 2022 

On Thu, Jul 21, 2022 at 3:04 AM Iseli Christian <christian.iseli at epfl.ch> wrote:
> The university of Lausanne recently introduced 2-factor authentication for its VPN, and since then my working openconnect setup is failing with this error :
>
> Unknown form (name 'form1', id '(null)')
> Dumping unknown HTML form:
> <form name="form1" action="/idp/profile/SAML2/Redirect/SSO?execution=e1s1" method="post">
>         <input name="shib_idp_ls_exception.shib_idp_session_ss" type="hidden">
>         <input name="shib_idp_ls_success.shib_idp_session_ss" type="hidden" value="false">
>         <input name="shib_idp_ls_value.shib_idp_session_ss" type="hidden">
>         <input name="shib_idp_ls_exception.shib_idp_persistent_ss" type="hidden">
>         <input name="shib_idp_ls_success.shib_idp_persistent_ss" type="hidden" value="false">
>         <input name="shib_idp_ls_value.shib_idp_persistent_ss" type="hidden">
>     <input name="shib_idp_ls_supported" type="hidden">
>     <input name="_eventId_proceed" type="hidden">
>     <noscript>
>         <input type="submit" value="Continue">
>     </noscript>
> </form>Failed to complete authentication
>
> The authentication seems to now be "provided" through the eduid infrastructure of switch.ch through a shibboleth framework, if that rings a bell to anyone...
>
> Should I just try to add a recognition for this form in the code and see what happens ?
>
> Thanks for your help, and kind regards,
> Christian

Hi Christian,
Which OpenConnect *protocol* are you using here? Juniper
(--protocol=nc) or F5 (--protocol=f5) or Fortinet
(--protocol=fortinet) are the ones that support HTML-based
authentication, so most likely one of those. Also, which version of
the OpenConnect client? (openconnect --version)

If it's Juniper, then we've added some very rudimentary support for
SSO/SAML in recent releases, but I'll wait to hear more details.

It does appear that this is a form which could be automatically
bypassed, given that it contains only hidden fields, unless there's
some modification via a JavaScript-based layer that we're not seeing
in your log.

Dan

ps- Perhaps worth opening an issue at
https://gitlab.com/openconnect/openconnect/issues. The mailing list is
not very active anymore, as you've seen.

More information about the openconnect-devel mailing list