Azure AD SSO asking me to "stay signed in" breaks flow

[philippgerard]

Hi there,

we're using some O365 AD with custom login pages, which seem to work flawlessly. However, after the 2FA confirmation using MS Authenticator App the page asking me if I want to "stay signed in" loads in the modal and then disappears every time before I can confirm. This effectively seems to break the flow.

This is the last message on the CLI:

[info ] Browser exited [openconnect_sso.browser.browser]
[info ] Response received [openconnect_sso.authenticator] id=main message=Please complete the authentication process in the AnyConnect Login window. title=
[error ] Could not finish authentication. Invalid response type in current state [openconnect_sso.authenticator] response=AuthRequestResponse(auth_id='main', auth_title='', auth_message='Please complete the authentication process in the AnyConnect Login window.', auth_error='Single sign-on AnyConnect token verification failure.', login_url='https://vpn.....de/+CSCOE+/saml/sp/login?tgname=DefaultWEBVPNGroup&acsamlcap=v2', login_final_url='https://vpn.....de/+CSCOE+/saml_ac_login.html', token_cookie_name='...', opaque=<Element opaque at 0x7f594cae2c40>)
Traceback (most recent call last):
File "/usr/bin/openconnect-sso", line 33, in
sys.exit(load_entry_point('openconnect-sso==0.6.0', 'console_scripts', 'openconnect-sso')())
File "/usr/lib/python3.9/site-packages/openconnect_sso/cli.py", line 169, in main
return app.run(args)
File "/usr/lib/python3.9/site-packages/openconnect_sso/app.py", line 34, in run
auth_response, selected_profile = asyncio.get_event_loop().run_until_complete(
File "/usr/lib/python3.9/asyncio/base_events.py", line 642, in run_until_complete
return future.result()
File "/usr/lib/python3.9/site-packages/openconnect_sso/app.py", line 137, in _run
auth_response = await authenticate_to(
File "/usr/lib/python3.9/site-packages/openconnect_sso/authenticator.py", line 50, in authenticate
raise AuthenticationError(response)
openconnect_sso.authenticator.AuthenticationError: AuthRequestResponse(auth_id='main', auth_title='', auth_message='Please complete the authentication process in the AnyConnect Login window.', auth_error='Single sign-on AnyConnect token verification failure.', login_url='https://vpn.....de/+CSCOE+/saml/sp/login?tgname=DefaultWEBVPNGroup&acsamlcap=v2', login_final_url='https://vpn.....de/+CSCOE+/saml_ac_login.html', token_cookie_name='acSamlv2Token', opaque=<Element opaque at 0x7f594cae2c40>)

As no configuration file is created (I presume only after the first successful login), I don't know where to modify settings or explore configuration options. Any ideas what I could try next? Thanks in advance!

[vlaci]

The default rules are the following (in ~/.config/openconnect-sso/config.toml`):

[auto_fill_rules]
[[auto_fill_rules."https://*"]]
selector = "div[id=passwordError]"
action = "stop"

[[auto_fill_rules."https://*"]]
selector = "input[type=email]"
fill = "username"

[[auto_fill_rules."https://*"]]
selector = "input[type=password]"
fill = "password"

[[auto_fill_rules."https://*"]]
selector = "input[type=submit]"
action = "click"

There was a request to make this autofill stuff configurable and I'd like to make it so. If you find an addition that would fix your case I am happy to update the defaults.

[philippgerard]

Using

[[auto_fill_rules."https://*"]]
selector = "input[type=submit]"
action = "stop"

allows me to complete to click, but the process dies anyways :(

[error ] Could not finish authentication. Invalid response type in current state [openconnect_sso.authenticator] response=AuthRequestResponse(auth_id='main', auth_title='', auth_message='Please complete the authentication process in the AnyConnect Login window.', auth_error='Single sign-on AnyConnect token verification failure.', login_url='https://vpn...de/+CSCOE+/saml/sp/login?tgname=DefaultWEBVPNGroup&acsamlcap=v2', login_final_url='https://vpn...de/+CSCOE+/saml_ac_login.html', token_cookie_name='acSamlv2Token', opaque=<Element opaque at 0x7fa52667e380>)
Traceback (most recent call last):
File "/usr/bin/openconnect-sso", line 33, in
sys.exit(load_entry_point('openconnect-sso==0.6.0', 'console_scripts', 'openconnect-sso')())
File "/usr/lib/python3.9/site-packages/openconnect_sso/cli.py", line 169, in main
return app.run(args)
File "/usr/lib/python3.9/site-packages/openconnect_sso/app.py", line 34, in run
auth_response, selected_profile = asyncio.get_event_loop().run_until_complete(
File "/usr/lib/python3.9/asyncio/base_events.py", line 642, in run_until_complete
return future.result()
File "/usr/lib/python3.9/site-packages/openconnect_sso/app.py", line 137, in _run
auth_response = await authenticate_to(
File "/usr/lib/python3.9/site-packages/openconnect_sso/authenticator.py", line 50, in authenticate
raise AuthenticationError(response)
openconnect_sso.authenticator.AuthenticationError: AuthRequestResponse(auth_id='main', auth_title='', auth_message='Please complete the authentication process in the AnyConnect Login window.', auth_error='Single sign-on AnyConnect token verification failure.', login_url='https://vpn....de/+CSCOE+/saml/sp/login?tgname=DefaultWEBVPNGroup&acsamlcap=v2', login_final_url='https://vpn....de/+CSCOE+/saml_ac_login.html', token_cookie_name='acSamlv2Token', opaque=<Element opaque at 0x7fa52667e380>)

Can you make sense of the error message?

[vlaci]

The error message is that somehow your VPN server still returns an auth request response, instead of complting the authentication. At debug loglevel the response message is logged on screen. I am not sure if it contains any meaningful additional info.

[TheSentry]

Our company recently switched to Cisco AnyConnect with Microsoft 2FA and this here seems to be my best shot. However, I encounter almost the same problem, although the "Stay signed in" window appears for me and I can click it and confirm. But then the dialog closes and I get a very similar stacktrace:

[info ] Response received [openconnect_sso.authenticator] id=main message=Please complete the authentication process in the AnyConnect Login window. title=
[error ] Could not finish authentication. Invalid response type in current state [openconnect_sso.authenticator] response=AuthRequestResponse(auth_id='main', auth_title='', auth_message='Please complete the authentication process in the AnyConnect Login window.', auth_error='Single sign-on AnyConnect token verification failure.', login_url='https://vpn.....de/+CSCOE+/saml/sp/login?tgname=DefaultWEBVPNGroup&acsamlcap=v2', login_final_url='https://vpn.....de/+CSCOE+/saml_ac_login.html', token_cookie_name='acSamlv2Token', opaque=<Element opaque at 0x7f67108415c0>)
Traceback (most recent call last):
File "/home/florian/.local/bin/openconnect-sso", line 8, in
sys.exit(main())
File "/home/florian/.local/pipx/venvs/openconnect-sso/lib/python3.8/site-packages/openconnect_sso/cli.py", line 169, in main
return app.run(args)
File "/home/florian/.local/pipx/venvs/openconnect-sso/lib/python3.8/site-packages/openconnect_sso/app.py", line 34, in run
auth_response, selected_profile = asyncio.get_event_loop().run_until_complete(
File "/usr/lib/python3.8/asyncio/base_events.py", line 616, in run_until_complete
return future.result()
File "/home/florian/.local/pipx/venvs/openconnect-sso/lib/python3.8/site-packages/openconnect_sso/app.py", line 137, in _run
auth_response = await authenticate_to(
File "/home/florian/.local/pipx/venvs/openconnect-sso/lib/python3.8/site-packages/openconnect_sso/authenticator.py", line 50, in authenticate
raise AuthenticationError(response)
openconnect_sso.authenticator.AuthenticationError: AuthRequestResponse(auth_id='main', auth_title='', auth_message='Please complete the authentication process in the AnyConnect Login window.', auth_error='Single sign-on AnyConnect token verification failure.', login_url='https://vpn.....de/+CSCOE+/saml/sp/login?tgname=DefaultWEBVPNGroup&acsamlcap=v2', login_final_url='https://vpn.....de/+CSCOE+/saml_ac_login.html', token_cookie_name='acSamlv2Token', opaque=<Element opaque at 0x7f67108415c0>)

Is there anything I can provide to help solve this?

Edit: I forgot: At this point I'm usually prompted to authenticate myself using the Microsoft Authenticator App on my phone, so this might be the last AuthRequestResponse

[vlaci]

It would be great to know what anyconnect does differently in your case. A mitmproxy log of a successful login with anyconnect would be most helpful.

Make sure to remove all sensitive information (keys, mac addresses, urls) from the mitmproxy trace before sharing with anyone.

[TheSentry]

I'm having a hard time getting openconnect-sso to work with mitmproxy. Either it complains about

ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1123)

or

ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1123)

but I've never used mitmproxy before, so I probably didn't set up the certificates correctly and this here is probably not the right place to discuss this.

Maybe I'll try to modify openconnect-sso directly to make it work, but my availably time for this is limited, unfortunately

[TheSentry]

Funny, trying it again now gave me a different result:

[info     ] Response received              [openconnect_sso.authenticator] id=success message=
[sudo] password for user:           
Connected to x.y.z.a:443
SSL negotiation with vpn.....de
Server certificate verify failed: signer not found
Server SSL certificate didn't match: pin-sha256:<redacted>=
SSL connection failure: Error in the certificate.
Creating SSL connection failed

The next attempt had the same result as in my first comment.
(I guess the MS Authenticator is not always required and this changes the outcome)

[vlaci]

It is indeed funny as the last connection attempt shows a succesfull authentication.

At debug log level openconnect-sso logs all request-responses. Mitmproxy would help to capture Anyconnect's traffic to figure out how it behaves differently.

Mitmproxy has guidance on how to set-up your machine to trust its certificates https://docs.mitmproxy.org/stable/concepts-certificates/#installing-the-mitmproxy-ca-certificate-manually

[TheSentry]

Mitmproxy has guidance on how to set-up your machine to trust its certificates https://docs.mitmproxy.org/stable/concepts-certificates/#installing-the-mitmproxy-ca-certificate-manually

I actually followed that instructions and I still get the SSL errors I described above.

Unfortunately, I don't have any more (work) time available to delve into this problem, so I'm afraid I'm going to have to leave it at that. But if it helps you, this is what I see as a user during a successful VPN login:

1. Browser window: Prompt to enter my username
2. Browser window: Login page of my employer with username and password prompt
3. Sometimes: Browser window: Prompt to verify my login using the MS Authenticator App, together with a "Stay signed in" checkbox
4. Browser window: Another prompt "Stay signed in" with a checkbox "Don't ask me again"
5. Dialog window of AnyConnect: "Welcome to blabla Company, by connecting you accept the terms and services" with the options "Cancel" and "Connect"

Step 1, 2 and 4 work with openconnect-sso and I'm very certain that 3 and 5 are the problematic ones.

Maybe I'll find some spare time to look at it again, but no promises.

[vlaci]

Could you check if the issue persist with the newest 0.6.1. I hope, that #37 may have fixed this issue.

[myelsukov]

I am experiencing the same problem. #37 didn't help.

[vlaci]

FYI as of 0.7.0, the browser properly caches cookies between connection attempts so that it is possible to reuse a previous successful authentication.

[DeepestToaster]

While caching cookies may, in theory, work in some instances. I can confirm this doesn't work for me. I have authenticated previously with all browsers on my system yet when I try to connect I still get prompted for credentials cannot click the "remember" button fast enough and then everything falls apart on the "stay signed in" screen.

[vlaci]

Yeah, I still see that cookie saving is racy somehow. It may work for someone and won't for others. :(