Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error after SSO Auth (Azure) is complete #93

Open
bjornarfjelldal opened this issue Aug 17, 2022 · 4 comments
Open

Error after SSO Auth (Azure) is complete #93

bjornarfjelldal opened this issue Aug 17, 2022 · 4 comments

Comments

@bjornarfjelldal
Copy link

bjornarfjelldal commented Aug 17, 2022
edited
Loading

Running

openconnect-sso --server vpnserver --user myuser -l debug

Goes through SSO with autocomplete user/password - and after completing 2FA verification, this happens:

[info     ] Browser exited                 [openconnect_sso.browser.browser] 
[debug    ] Sending auth finish request    [openconnect_sso.authenticator] content=b'<?xml version=\'1.0\' encoding=\'UTF-8\'?>\n<config-auth client="vpn" type="auth-reply" aggregate-auth-version="2">\n  <version who="vpn">4.7.00136</version>\n  <device-id>linux-64</device-id>\n  <session-token/>\n  <session-id/>\n  <opaque is-for="sg">\n    <tunnel-group>saml</tunnel-group>\n    <auth-method>single-sign-on-v2</auth-method>\n    <config-hash>1658396513329</config-hash>\n  </opaque>\n  <auth>\n    <sso-token></sso-token>\n  </auth>\n</config-auth>\n'
https://vpnserver:443 "POST / HTTP/1.1" 200 None
[debug    ] Auth finish response received  [openconnect_sso.authenticator] content=b'<?xml version="1.0" encoding="UTF-8"?>\n<config-auth client="vpn" type="auth-request" aggregate-auth-version="2">\n<opaque is-for="sg">\n<tunnel-group>saml</tunnel-group>\n<auth-method>single-sign-on-v2</auth-method>\n<config-hash>1658396513329</config-hash>\n</opaque>\n<auth id="main">\n<message>Please complete the authentication process in the AnyConnect Login window.</message>\n<error id="109">Single sign-on AnyConnect token verification failure.</error>\n<sso-v2-login>https://vpnserver/+CSCOE+/saml/sp/login?tgname=saml&#x26;acsamlcap=v2</sso-v2-login>\n<sso-v2-login-final>https://vpnserver/+CSCOE+/saml_ac_login.html</sso-v2-login-final>\n<sso-v2-logout>https://vpnserver/+CSCOE+/saml/sp/logout</sso-v2-logout>\n<sso-v2-logout-final>https://vpnserver/+CSCOE+/saml_ac_login.html</sso-v2-logout-final>\n<sso-v2-token-cookie-name>acSamlv2Token</sso-v2-token-cookie-name>\n<sso-v2-error-cookie-name>acSamlv2Error</sso-v2-error-cookie-name>\n<form>\n<input type="sso" name="sso-token"></input>\n</form>\n</auth>\n</config-auth>\n'
[info     ] Response received              [openconnect_sso.authenticator] id=main message=Please complete the authentication process in the AnyConnect Login window. title=
[error    ] Could not finish authentication. Invalid response type in current state [openconnect_sso.authenticator] response=AuthRequestResponse(auth_id='main', auth_title='', auth_message='Please complete the authentication process in the AnyConnect Login window.', auth_error='Single sign-on AnyConnect token verification failure.', login_url='https://vpnserver/+CSCOE+/saml/sp/login?tgname=saml&acsamlcap=v2', login_final_url='https://vpnserver/+CSCOE+/saml_ac_login.html', token_cookie_name='acSamlv2Token', opaque=<Element opaque at 0x7fdc51360ac0>)
Traceback (most recent call last):
  File "/opt/miniconda3/bin/openconnect-sso", line 8, in <module>
    sys.exit(main())
  File "/opt/miniconda3/lib/python3.9/site-packages/openconnect_sso/cli.py", line 169, in main
    return app.run(args)
  File "/opt/miniconda3/lib/python3.9/site-packages/openconnect_sso/app.py", line 34, in run
    auth_response, selected_profile = asyncio.get_event_loop().run_until_complete(
  File "/opt/miniconda3/lib/python3.9/asyncio/base_events.py", line 642, in run_until_complete
    return future.result()
  File "/opt/miniconda3/lib/python3.9/site-packages/openconnect_sso/app.py", line 139, in _run
    auth_response = await authenticate_to(
  File "/opt/miniconda3/lib/python3.9/site-packages/openconnect_sso/authenticator.py", line 50, in authenticate
    raise AuthenticationError(response)
openconnect_sso.authenticator.AuthenticationError: AuthRequestResponse(auth_id='main', auth_title='', auth_message='Please complete the authentication process in the AnyConnect Login window.', auth_error='Single sign-on AnyConnect token verification failure.', login_url='https://vpnserver/+CSCOE+/saml/sp/login?tgname=saml&acsamlcap=v2', login_final_url='https://vpnserver/+CSCOE+/saml_ac_login.html', token_cookie_name='acSamlv2Token', opaque=<Element opaque at 0x7fdc51360ac0>)

I tried some tips from #57 without any luck, namely

#57 (comment)

and

#57 (comment)

Since the error message is different, I open a new issue.

Running this on MacOS Big Sur 12.5.

Any tips?
@elenhinan
Copy link

elenhinan commented Aug 26, 2022
edited
Loading

I got the same exect same error, but managed to get it to work after importing the anyconnect profile using
openconnect-sso -p /opt/cisco/anyconnect/profile/VPNprofile.xml
I think the only difference is that I didn't specify usergroup manually. Running in an ubuntu docker, authenticating via microsoft 365 two-factor.

edit: I get error message on the first run, second run it connects..

@sam-sla
Copy link

sam-sla commented Sep 20, 2022

For us in our organization we had to stop passing the username in the cli as Azure does a stricter check apparently.
Also make sure you have the username removed/commented from .config/openconnect-sso/config.toml

@chenming1986
Copy link

chenming1986 commented Oct 10, 2022
edited
Loading

Thanks @sam-sla ! The solution works for me.

A further look seems to indicate my organization (or Azure) now checks how quickly the "sign in" button is clicked. If it's too quickly, the authentication fails. In my case, I managed to work around it by replacing the following lines in ~/.config/openconnect-sso/config.toml

[[auto_fill_rules."https://*"]]
selector = "input[type=submit]"
action = "click"

with

[[auto_fill_rules."https://*"]]
selector = "input[value=Next]"
action = "click"

[[auto_fill_rules."https://*"]]
selector = "input[value=Yes]"
action = "click"

so that the saved username and password still work, only the "sign in" button needs to be clicked manually.

@chenming1986
Copy link

In case someone would like to automate the authentication process before the official fix is out, another workaround is to add a delay before clicking the "sign in" button:

Change

openconnect-sso/openconnect_sso/browser/webengine_process.py

Line 257 in 4430cb0

f"""var elem = document.querySelector({selector}); if (elem) {{ elem.dispatchEvent(new Event("focus")); elem.click(); }}"""

to:
f"""var elem = document.querySelector({selector}); if (elem) {{ var click_delay=0; if (elem.value == "Sign in") {{click_delay = 1000;}} elem.dispatchEvent(new Event("focus")); setTimeout(function() {{ elem.click(); }}, click_delay); }}"""

@pm-jpodolski pm-jpodolski mentioned this issue Jun 27, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@chenming1986 @elenhinan @sam-sla @bjornarfjelldal