MFA with GlobalProtect

Daniel Lenski dlenski at gmail.com
Mon Mar 7 16:49:29 PST 2022


On Fri, Mar 4, 2022 at 9:55 AM Adam Mercer <ramercer at gmail.com> wrote:
>
> Hi
>
> We use a GlobalProtect VPN at work and they recently required the
> usage of Microsoft MFA when connecting, I've been trying to get this
> working with openconnect but have been having problems. I've built the
> latest client from git and am using:
>
> # openconnect --protocol=gp vpn.address.com
>
> and this results in:
>
> SAML REDIRECT authentication is required via
> https://login.microsoftonline.com/<string>/saml2?SAMLRequest=<strong>RelayState=<string>%3D%3D
> When SAML authentication is complete, specify destination form field
> by appending :field_name to login URL.
>
> If I visit the URL in my browser I see
>
> Login Successful!
>
> How do I determine field_name from this?

This is an area of active and ongoing development in OpenConnect, due
to the recent proliferation of VPNs that use single-sign-on services
(like Microsoft's or Okta's) for authentication.

For now, I recommend that you try out
https://github.com/dlenski/gp-saml-gui, which is a front-end script
that I wrote to do the authentication via a graphical pop-up, and then
to pass the correct arguments along to OpenConnect.

There are other scripts, but this is the one that I wrote and
understand, and there is also work-in-progress to integrate this into
OpenConnect itself but… don't hold your breath 😁.

Dan



More information about the openconnect-devel mailing list