New release?

[Karl O. Pinc]

Hi Thomas,

On Fri, 21 Mar 2025 00:10:33 -0600 (MDT)
Thomas Danhorn <tdanhorn at fastmail.fm> wrote:

> On Thu, 20 Mar 2025, Cline, Wade wrote:
> 
> > On Wed, Mar 19, 2025 at 09:14:07PM -0600, Thomas Danhorn wrote:  
> >> Hi guys,
> >>
> >> Thank you for making a great tool.  I have been using it in
> >> conjunction with the NetworkManager plugin to connect to a Palo
> >> Alto Global Protect VPN for the last couple of years, and it
> >> worked great.  For the last few months I have been using it with a
> >> YubiKey.  Recently, it suddenly stopped working (512 server error
> >> after successful authentication), however, and through trying
> >> different gl-saml-gui version, I am pretty sure that the problem
> >> is that the SAML and cookie from the server response are now only
> >> in the comment inside the HTML page, and no longer in its header.  

> > Have you tried adding '/portal:prelogin-cookie' to the 'Gateway'
> > URL as suggested in:
> >
> > 	https://gitlab.gnome.org/GNOME/NetworkManager-openconnect/-/issues/130#note_2367443

> Thank you very much for the quick respose.  I just tried with 
> '/portal:prelogin-cookie', and the results are interesting.  The 
> university has two VPN servers for two campuses, and it works on one
> (at the end of the process it asks me to choose a gateway, although
> there is only one choice), but it still fails with the 512 error on
> the other (I used identical configurations, except for the server
> name). Unfortuntely, the one that fails is the one I really need.  I
> have not looked at the SAML & cookie of the VPN server I can connect
> to, but I know that for the failing one those things are only in the
> comment (not the header).

> >> If I read the commit messages correctly, that seems to have been
> >> fixed 18 months ago (in commit 8c5d65889b), but there has been no
> >> new version tag since 9.12 a few months earlier.  Since Linux
> >> distros and packaging services (e.g. openSUSE build service) go by
> >> the tags (since they signal a stable version), there is no newer
> >> package than 9.12 available, and that does not have the fix for
> >> the SAML-in-comment problem.
> >>
> >> While I could probably compile the newest version from GitLab, it
> >> is obviously easier to use a package, and I am not the only one
> >> with this problem.  I would therefore really appreciate it, if you
> >> could release 9.13 in the not-to-distant future.  I'm getting by
> >> with gp-saml-gui, but it is not as well integrated with
> >> NetworkManager and I don't have the options that come with that,
> >> like routing only certain addresses through the VPN, so I'm
> >> looking forward to the next version of opemconnect.

As an FYI, while working on PR !564 I also saw SAML cookie information
only as a HTML comment, and I also got a 512 error after successful
portal authentication.  This, from memory, is because the 2nd SAML 
auth failed at the gateway.

Which suggests to me that _maybe_ your failed VPN connection is because
your failed VPN connection is doing double SAML authentication.  If
this is the case then a new release, even if PR !564 is included, will
likely _not_ leave you able to use either Network Manager or
gp-saml-gui.  Because, I suspect, both will need adjustments to
handle double-SAML authentication.

One way to tell is to compile a version with PR !564 incorporated
and see if working from the command line will successfully connect.
Another way is to use the arguments that show all the HTML and headers
that go back and forth and look for a second SAML cookie, on the
gateway, after the first authentication to the portal succeeds.
(There might be a way to do this without working from the command
line, but the command line seems easiest.)  Someone here may be able
to help interpret the HTML+headers if that's an issue for you.

Good luck.

Regards,

Karl <kop at karlpinc.com>
Free Software:  "You don't pay back, you pay forward."
                 -- Robert A. Heinlein