unknown form - what can I do ?

Iseli Christian christian.iseli at epfl.ch
Mon Aug 8 02:02:54 PDT 2022


Hi Dan,

On Monday, 8 August 2022 at 03:00 Dan wrote:
> On Thu, Jul 21, 2022 at 3:04 AM Iseli Christian <christian.iseli at epfl.ch>
> wrote:
> > The university of Lausanne recently introduced 2-factor authentication for
> its VPN, and since then my working openconnect setup is failing with this
> error :
> >
> > Unknown form (name 'form1', id '(null)') Dumping unknown HTML form:
> > <form name="form1"
> action="/idp/profile/SAML2/Redirect/SSO?execution=e1s1" method="post">
> >         <input name="shib_idp_ls_exception.shib_idp_session_ss"
> type="hidden">
> >         <input name="shib_idp_ls_success.shib_idp_session_ss" type="hidden"
> value="false">
> >         <input name="shib_idp_ls_value.shib_idp_session_ss" type="hidden">
> >         <input name="shib_idp_ls_exception.shib_idp_persistent_ss"
> type="hidden">
> >         <input name="shib_idp_ls_success.shib_idp_persistent_ss"
> type="hidden" value="false">
> >         <input name="shib_idp_ls_value.shib_idp_persistent_ss"
> type="hidden">
> >     <input name="shib_idp_ls_supported" type="hidden">
> >     <input name="_eventId_proceed" type="hidden">
> >     <noscript>
> >         <input type="submit" value="Continue">
> >     </noscript>
> > </form>Failed to complete authentication
> >
> > The authentication seems to now be "provided" through the eduid
> infrastructure of switch.ch through a shibboleth framework, if that rings a
> bell to anyone...
> >
> > Should I just try to add a recognition for this form in the code and see what
> happens ?
> >
> > Thanks for your help, and kind regards, Christian
> 
> Hi Christian,
> Which OpenConnect *protocol* are you using here? Juniper
> (--protocol=nc) or F5 (--protocol=f5) or Fortinet
> (--protocol=fortinet) are the ones that support HTML-based authentication,
> so most likely one of those.

I used nc

> Also, which version of the OpenConnect client? (openconnect --version)

OpenConnect version v9.01 - from Fedora distribution

> If it's Juniper, then we've added some very rudimentary support for
> SSO/SAML in recent releases, but I'll wait to hear more details.
> 
> It does appear that this is a form which could be automatically bypassed,
> given that it contains only hidden fields, unless there's some modification via
> a JavaScript-based layer that we're not seeing in your log.

In the meantime, I received some more info from the university staff, and they say the issue comes from SAML and suggested I follow a recipe from here :

https://github.com/vlaci/openconnect-sso/issues/11#issuecomment-925094127 

So, I now use a python script (attached as text, slightly edited to remove personal info) which performs the "web part" of the connection and then launch openconnect --protocol=pulse with the obtained DSID cookie, and it works for me

> Dan
> 
> ps- Perhaps worth opening an issue at
> https://gitlab.com/openconnect/openconnect/issues. The mailing list is not
> very active anymore, as you've seen.

Ok, I'll look into that

Thanks for the reply, and kind regards,
Christian

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: VPNconnect.txt
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20220808/e40e5370/attachment.txt>


More information about the openconnect-devel mailing list