-
Notifications
You must be signed in to change notification settings - Fork 128
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Azure AD SSO asking me to "stay signed in" breaks flow #36
Comments
The default rules are the following (in ~/.config/openconnect-sso/config.toml`):
There was a request to make this autofill stuff configurable and I'd like to make it so. If you find an addition that would fix your case I am happy to update the defaults. |
Using
allows me to complete to click, but the process dies anyways :(
Can you make sense of the error message? |
The error message is that somehow your VPN server still returns an auth request response, instead of complting the authentication. At debug loglevel the response message is logged on screen. I am not sure if it contains any meaningful additional info. |
Our company recently switched to Cisco AnyConnect with Microsoft 2FA and this here seems to be my best shot. However, I encounter almost the same problem, although the "Stay signed in" window appears for me and I can click it and confirm. But then the dialog closes and I get a very similar stacktrace:
Is there anything I can provide to help solve this? Edit: I forgot: At this point I'm usually prompted to authenticate myself using the Microsoft Authenticator App on my phone, so this might be the last |
It would be great to know what anyconnect does differently in your case. A mitmproxy log of a successful login with anyconnect would be most helpful. Make sure to remove all sensitive information (keys, mac addresses, urls) from the mitmproxy trace before sharing with anyone. |
I'm having a hard time getting
or
but I've never used Maybe I'll try to modify openconnect-sso directly to make it work, but my availably time for this is limited, unfortunately |
Funny, trying it again now gave me a different result:
The next attempt had the same result as in my first comment. |
It is indeed funny as the last connection attempt shows a succesfull authentication. At debug log level openconnect-sso logs all request-responses. Mitmproxy would help to capture Anyconnect's traffic to figure out how it behaves differently. Mitmproxy has guidance on how to set-up your machine to trust its certificates https://docs.mitmproxy.org/stable/concepts-certificates/#installing-the-mitmproxy-ca-certificate-manually |
I actually followed that instructions and I still get the SSL errors I described above. Unfortunately, I don't have any more (work) time available to delve into this problem, so I'm afraid I'm going to have to leave it at that. But if it helps you, this is what I see as a user during a successful VPN login:
Step 1, 2 and 4 work with Maybe I'll find some spare time to look at it again, but no promises. |
Could you check if the issue persist with the newest 0.6.1. I hope, that #37 may have fixed this issue. |
I am experiencing the same problem. #37 didn't help. |
FYI as of 0.7.0, the browser properly caches cookies between connection attempts so that it is possible to reuse a previous successful authentication. |
While caching cookies may, in theory, work in some instances. I can confirm this doesn't work for me. I have authenticated previously with all browsers on my system yet when I try to connect I still get prompted for credentials cannot click the "remember" button fast enough and then everything falls apart on the "stay signed in" screen. |
Yeah, I still see that cookie saving is racy somehow. It may work for someone and won't for others. :( |
Hi there,
we're using some O365 AD with custom login pages, which seem to work flawlessly. However, after the 2FA confirmation using MS Authenticator App the page asking me if I want to "stay signed in" loads in the modal and then disappears every time before I can confirm. This effectively seems to break the flow.
This is the last message on the CLI:
As no configuration file is created (I presume only after the first successful login), I don't know where to modify settings or explore configuration options. Any ideas what I could try next? Thanks in advance!
The text was updated successfully, but these errors were encountered: