NetworkManager-openconnect doesn't currently support SAML authentication. Any VPNs that require Web-logins like SSO are unusable without extra steps: There are a few attempts to resolve this: - A gitlab MR pending matched with debian/ubuntu out-of-tree support, targeting Ubuntu 22.04: https://gitlab.com/openconnect/openconnect/-/merge_requests/299 - Another older MR: https://gitlab.com/openconnect/openconnect/-/merge_requests/75 - There's a 3rd party wrapper script called openconnect-sso: https://github.com/vlaci/openconnect-sso The first seems most likely to provide short-term good-user-experience support, by way of actual integration with NetworkManager.
I was able to compile Fedora 35 packages with the patches from Ubuntu 22.04. Sadly, they made no difference for my setup, which is Pulse Secure with Okta authentication. This package lets me connect https://github.com/utknoxville/openconnect-pulse-gui (proper NetworkManager integration would be much better, obviously). Anyway, since others can benefit from those patches, I want to share my experience briefly. Both openconnect and NetworkManager-openconnect need to be patched. NetworkManager-openconnect should require (definitely for build and likely for runtime) the patched openconnect, as it adds new two new functions. The patch for openconnect needs to be adjusted slightly, as it touches libopenconnect.map.in very close to the place where 0002-Unconditionally-bypass-system-crypto-policy.patch modifies it. NetworkManager-openconnect needs a new dependency in the specfile: BuildRequires: pkgconfig(webkit2gtk-4.0) No other patches from the Ubuntu packages are needed to make the Fedora packages compile.
This bug appears to have been reported against 'rawhide' during the Fedora 36 development cycle. Changing version to 36.
Are there any attempts being made to upstream the Ubuntu patches so Fedora and other distros benefit?
From what I'm seeing and hearing from colleagues the changes have been merged upstream. openconnect 9.0.1 (see https://www.infradead.org/openconnect/changelog.html) was built with Koji for fc36, but never released for some reason. That is one of the requirements. There are fixes for NetworkManager-openconnect already merged (https://gitlab.gnome.org/GNOME/NetworkManager-openconnect/-/merge_requests/26), but not in a released version yet. Not sure how feasible it is to try and extract the required patches or just wait for the next release.
The current F36 should contain the necessary changes. Please reopen if not.
If I'm not mistaken, the required changes to NetworkManager-openconnect are not in F36 currently. Those are merged into upstream mainline, but still not in any released version of NetworkManeger-openconnect.
My experience has been that you need patches for both openconnect and NetworkManager-openconnect for it to work. All the necessary patches for my company's VPN server, which now requires SAML/SSO, have been merged upstream, but are not yet in the most recent releases.
Confirmed as not working in F36 with my employer's AnyConnect-based VPN right now, attempting to log in results in a "No SSO handler" error.
I was able to get my employer's AnyConnect-based VPN working with a couple COPRs enabled recently: NetworkManager 1.40.1 openconnect 9.01.git.55.92084ea NetworkManager-openconnect 1.2.9.git.80.2f48f84 With these COPRs: https://copr.fedorainfracloud.org/coprs/dwmw2/openconnect/ https://copr.fedorainfracloud.org/coprs/networkmanager/NetworkManager-1.40-debug/
(In reply to Jeremy Nickurak from comment #9) > I was able to get my employer's AnyConnect-based VPN working with a couple > COPRs enabled recently: > > > NetworkManager 1.40.1 > openconnect 9.01.git.55.92084ea > NetworkManager-openconnect 1.2.9.git.80.2f48f84 > > With these COPRs: > > https://copr.fedorainfracloud.org/coprs/dwmw2/openconnect/ > https://copr.fedorainfracloud.org/coprs/networkmanager/NetworkManager-1.40- > debug/ Have you tried with Fedora 37? It seems that the packages are one patch release away from the versions you mentioned: * NetworkManager: 1.40.0-1.fc37 vs 1.40.1 * NetworkManager-openconnect: 1.2.8-3.fc37 vs 1.2.9.git.80.2f48f84 * openconnect: 9.01-3.fc37 vs 9.01.git.55.92084ea (this one seems good)
(In reply to Romain Failliot from comment #10) > Have you tried with Fedora 37? It seems that the packages are one patch > release away from the versions you mentioned: > > * NetworkManager: 1.40.0-1.fc37 vs 1.40.1 > * NetworkManager-openconnect: 1.2.8-3.fc37 vs 1.2.9.git.80.2f48f84 > * openconnect: 9.01-3.fc37 vs 9.01.git.55.92084ea (this one seems good) I just tried with Fedora 37 Beta and (after upgrading the OS) I still have the "No SSO handler" error when trying to log in. @dwmw2 do you think it would be possible to get the latest release for these three packages ready for Fedora 37?
Confirming here, Fedora 37 still doesn't connect successfully. I once again re-enabled the https://copr.fedorainfracloud.org/coprs/dwmw2/openconnect/ copyr (*but not https://copr.fedorainfracloud.org/coprs/networkmanager/NetworkManager-1.40-debug/ *), and at that point all worked correctly.
dnf log from the run that fixed things: 2022-09-26T22:54:47-0600 DEBUG --> Starting dependency resolution 2022-09-26T22:54:47-0600 DEBUG ---> Package NetworkManager-openconnect.x86_64 1.2.8-3.fc37 will be upgraded 2022-09-26T22:54:47-0600 DEBUG ---> Package NetworkManager-openconnect.x86_64 1.2.9.git.81.3c15907-0.fc37 will be an upgrade 2022-09-26T22:54:47-0600 DEBUG ---> Package NetworkManager-openconnect-gnome.x86_64 1.2.8-3.fc37 will be upgraded 2022-09-26T22:54:47-0600 DEBUG ---> Package NetworkManager-openconnect-gnome.x86_64 1.2.9.git.81.3c15907-0.fc37 will be an upgrade 2022-09-26T22:54:47-0600 DEBUG ---> Package openconnect.x86_64 9.01-3.fc37 will be upgraded 2022-09-26T22:54:47-0600 DEBUG ---> Package openconnect.x86_64 9.01.git.74.76dc679-0.fc37 will be an upgrade 2022-09-26T22:54:47-0600 DEBUG --> Finished dependency resolution Haven't looked any closer to see which one of those resolved the "No SSO handler" error which was (IIRC) the same symptom on F36 w/o any coprs added.
(oops, didn't mean to clear that needsinfo)
I've been using https://github.com/dlenski/gp-saml-gui but I wanted to make this work with NetworkManager. Here are the versions in Fedora 37 (do not work for me): NetworkManager-openconnect 1.2.8-3.fc37 NetworkManager-openconnect-gnome 1.2.8-3.fc37 openconnect 9.01-3.fc37 I enabled the Copr, upgraded the packages, and restarted NetworkManager: dnf copr enable -y dwmw2/openconnect dnf distro-sync systemctl restart NetworkManager Now these versions are working for me: NetworkManager-openconnect 1.2.9.git.83.7bdfee8-0.fc37 NetworkManager-openconnect-gnome 1.2.9.git.83.7bdfee8-0.fc37 openconnect 9.01.git.113.f873e8f-0.fc37
Input with OTP gets successfully accepted by real Cisco AnyConnect server but NetworkManager does not recognize and still keeps dialog open with permanent error message about "unrecognized authentication type". "You have successfully authenticated. You may now close this browser tab." but clicking on any of buttons Connect, Login again or even Close does not do anything. VPN stays inactive. Packages installed & updated from dwm2 copr as stated below. openconnect-9.01-3.fc37.x86_64 NetworkManager-openconnect-1.2.9.git.83.7bdfee8-0.fc37.x86_64 NetworkManager-openconnect-gnome-1.2.9.git.83.7bdfee8-0.fc37.x86_64 stoken-libs-0.92-7.fc37.x86_64 BTW is it alternatively possible in that popup dialog to use also token e.g. yubikey with QtWebEngine as the obvious browser widget?
These packages work for AnyConnect setup here. openconnect-9.01.git.119.1f5a780-0.fc37.x86_64 NetworkManager-openconnect-1.2.9.git.83.7bdfee8-0.fc37.x86_64 NetworkManager-openconnect-gnome-1.2.9.git.83.7bdfee8-0.fc37.x86_64 libtasn1-4.19.0-1.fc37.x86_64 stoken-libs-0.92-7.fc37.x86_64
Please update packages.
Could I know if this if fixed in FC38?
(In reply to Allen Chen from comment #19) > Could I know if this if fixed in FC38? Propably no. Maybe try openconnect-sso package from external repo of dwm2 copr.
Thanks, Raphael.
(In reply to Allen Chen from comment #21) > Thanks, Raphael. You're welcome. Wondering too why there is no progress so far as more and more services start to request two factor auth via saml/sso.
I tried dwmw2/openconnect on FC38 and got CRASH when edit Network VPN connections always, not sure if anyone makes this working on FC38. FC38 has 1.2.8 for NetworkManager-openconnect and NetworkManager-openconnect-gnome instead of 1.2.9 in dwmw2/openconnect.
It still works for me with Fedora 37 and AnyConnect, for relevant packages see comment #17. No idea though what's maybe different within Fedora 38 then, though I'm going to upgrade soonish.
The packages I have on FC38 with Gnome Setting CRASH editing network VPN connections, openconnect-9.01.git.181.e1a3be3-0.fc38.x86_64 NetworkManager-openconnect-1.2.9.git.111.9dd5870-0.fc38.x86_64 NetworkManager-openconnect-gnome-1.2.9.git.111.9dd5870-0.fc38.x86_64
There's now update for mentioned packages landed for Fedora 37, too. I can wait.
This message is a reminder that Fedora Linux 36 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora Linux 36 on 2023-05-16. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of '36'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, change the 'version' to a later Fedora Linux version. Note that the version field may be hidden. Click the "Show advanced fields" button if you do not see it. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora Linux 36 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora Linux, you are encouraged to change the 'version' to a later version prior to this bug being closed.
Thanks for your patience. We're working on a new release of NetworkManager-openconnect and openconnect. Any test results with the latest builds in the COPR at https://copr.fedorainfracloud.org/coprs/dwmw2/openconnect/package/NetworkManager-openconnect/ would be much appreciated. We believe we have fixed: • "Socket accept cancelled" in KDE Plasma-NM immediately after launching browser • GNOME auth GUI locking up after launching Chrome, if a Chrome window already exists. (Or any other browser that spews noise to stdout) I'd be very interested in the crash that you report, Allen. Please can you help us to reproduce this: how is the network configured and precisely how are you editing it, and how do you make it crash? Can you catch it in gdb or point to a captured crash dump?
(We'd also like to fix the outstanding configuration issue with PKCS#11 URIs before the release, discussed at https://gitlab.gnome.org/GNOME/NetworkManager-openconnect/-/merge_requests/43 )
hi, David, I have latest FC38 installation with COPR packages, penconnect-9.01.git.182.017b7b4-0.fc38.x86_64 NetworkManager-openconnect-1.2.9.git.114.233675e-0.fc38.x86_64 NetworkManager-openconnect-gnome-1.2.9.git.114.233675e-0.fc38.x86_64 I can simple re-produce the CRASH as follow, Open GNOME Settings, go to Network, Add connection, Select the first one Multi-protocol VPN Client(openconnect), The Setting application CRASHED. part of the trace log from the CRASH report, --- Running report_uReport --- ('report_uReport' completed successfully) --- Skipping collect_GConf --- No matching actions found for this event. --- Skipping collect_vimrc_system --- No matching actions found for this event. --- Skipping collect_vimrc_user --- No matching actions found for this event. --- Skipping collect_xsession_errors --- No matching actions found for this event. --- Running analyze_CCpp --- Generating backtrace I am trying to collect more. Last week I tried to disable the COPR one and re-install the Fedora native packages, no such crash but I have no openconnect feature there. Thanks and let me know if I can help to collect other information to fix this.
I run the gnome-control-center in terminal and reproduce the CRASH, I got this on the terminal, gnome-control-center 21:31:00.4754 **[342088]:CRITICAL: init_editor_plugin: assertion 'widget' failed 21:31:00.4896 GLib-GObject[342088]:CRITICAL: invalid unclassed pointer in cast to 'NMACertChooserButton' 21:31:00.4896 GLib-GObject[342088]:CRITICAL: g_type_instance_get_private: assertion 'instance != NULL && instance->g_class != NULL' failed Segmentation fault (core dumped)
According to recent comments moving to Fedora 37 as 36 is quite nearly EOL.
Please could you report that crash in a separate bug against NetworkManager itself (perhaps libnma but I think it's all the same source package?)
(In reply to Raphael Groner from comment #26) > There's now update for mentioned packages landed for Fedora 37, too. All packages updated today. No crash of NetworkManager (main package updated also) on my system detectable and I can still connect to AnyConnect VPN. openconnect-9.01.git.185.7783837-0.fc37.x86_64 NetworkManager-openconnect-1.2.9.git.114.233675e-0.fc37.x86_64 NetworkManager-openconnect-gnome-1.2.9.git.114.233675e-0.fc37.x86_64 NetworkManager-1.40.18-1.fc37.x86_64 So I suspect openconnect as the instable component. Allen, can you retry with new snapshot of openconnect?
I believe the gnome-control-center crash should now be fixed. Please could you retest?
(In reply to Raphael Groner from comment #34) > All packages updated today. No crash of NetworkManager (main package updated > also) on my system detectable and I can still connect to AnyConnect VPN. I believe the crash was only happening when you edit the connection, and only in gnome-control-center (with gtk4) rather than nm-connection-editor (which still uses gtk3). It should be fixed in NetworkManager-openconnect 1.2.9.git.116.06054ed
Updated to following packages, openconnect-9.01.git.186.ab5f163-0.fc38.x86_64 NetworkManager-openconnect-1.2.9.git.121.3f7afad-0.fc38.x86_64 NetworkManager-openconnect-gnome-1.2.9.git.121.3f7afad-0.fc38.x86_64 Yes. I can add a new VPN connection with Mult-protocol VPN client(openconnect), but I still can NOT edit the connection after I added it when I test the connection. The edit connection UI is always pending and does not populate the right content, can only be canceled.
BTW, I want to confirm if the NM Connection file created by the UI editor correct or not, I tried to create an Pulse Secure Connection(Openconnect) and ONLY give the gateway and keep everything else as default, then click "Add", I got such connection file in /etc/NetworkManager/system-connection, [connection] id=VPN 1 uuid=864f95fb-1d53-4e20-ab43-82cbf21ede65 type=vpn autoconnect=false permissions=user:allen:; [vpn] authtype=password autoconnect-flags=0 certsigs-flags=0 cookie-flags=2 disable_udp=no enable_csd_trojan=no gateway=secure.sample.com gateway-flags=2 gwcert-flags=2 lasthost-flags=0 pem_passphrase_fsid=no prevent_invalid_cert=no protocol=pulse resolve-flags=2 stoken_source=disabled xmlconfig-flags=0 service-type=org.freedesktop.NetworkManager.openconnect [ipv4] method=auto [ipv6] addr-gen-mode=default method=auto [proxy] What I can not edit/enable/delete this connection in gnome-control-center --> Network But I can delete or view it in nm-connection-editor, I am not sure if I can edit it, because when I am editting it in nm-connection-editor, also I can NOT change any field there. Thanks.
Thanks. Please could you run gnome-control-center and/or nm-connection-editor from a terminal and show all their output while you attempt this?
gnome-control-center 22:21:05.4111 nm[526419]:CRITICAL: ((src/libnm-client-impl/nm-device.c:2450)): assertion '<dropped>' failed 22:21:29.5632 nm[526419]:CRITICAL: ((src/libnm-client-impl/nm-device.c:2450)): assertion '<dropped>' failed nm-connection-editor ** Message: 22:23:01.361: Cannot save connection due to error: Invalid setting VPN: gateway ** Message: 22:23:04.314: Connection validates and can be saved Do the same action with gnome-control-center and nm-connection-editor on CLI(terminal) and got above output. 1. Add a VPN connection Pulse Connect Secure 2. Try to edit the connection, both tools can NOT edit the added VPN connection No CRASH, but I do not think the edit connection works fine.
I tried with gnome-control-center Network Add/Edit VPN connection today with openconnect-9.10.git.6.4023bd9-0.fc38.x86_64 NetworkManager-openconnect-1.2.9.git.128.4725947-0.fc38.x86_64 NetworkManager-openconnect-gnome-1.2.9.git.128.4725947-0.fc38.x86_64 It is fine now. Confirmed it is fixed the CRASH and edit issue. What I need to know how to enable the SSO authentication instead of password one?
Hi, David, I noticed on Gitlab, the repository of OpenConnect. I tried once more with my company's Pulse Secure VPN both openconnect cli and openconnect-gnome with the package mentioned in comment#41. I got Failed to find or parse web form in login page for both. The VPN is pulse secure one, but I should use protocol=nc and this VPN is using Microsoft SSO/SAML authentication. If possible, do you have any thread or issue at at Gitlab side so that we can work together on this feature debug and test, more easy and effiecinet. Thanks.
(In reply to Allen Chen from comment #42) > Hi, David, I noticed on Gitlab, the repository of OpenConnect. > I tried once more with my company's Pulse Secure VPN both openconnect cli > and openconnect-gnome with the package mentioned in comment#41. > > I got Failed to find or parse web form in login page > for both. > > The VPN is pulse secure one, but I should use protocol=nc and this VPN is > using Microsoft SSO/SAML authentication. > If possible, do you have any thread or issue at at Gitlab side so that we > can work together on this feature debug and test, more easy and effiecinet. > > Thanks. Hi Allen, I think you probably want https://gitlab.com/openconnect/openconnect/-/issues/385 I think we just need someone with access to such a VPN to spend some time capturing the traffic from the offical Pulse client and working out how the SAML support works. There are some external tools like https://github.com/utknoxville/openconnect-pulse-gui which attempt to do the authentication and then just spawn openconnect with the required cookie to establish the connection (and you can feed that same cookie into NetworkManager too). It'd be good to incorporate that support directly into openconnect/NM-openconnect.
Just a comment: Even if this isn't working totally perfectly for a bunch of people, is it the case that this upgrade isn't a regression for users who don't need the SSO/SAML login functionality? If so, maybe getting this feature work included even if it's not perfect would be better than the zero-support-for-SSO-SAML that users currently have access to?
hi, David, yes. I have the official Pulse Secure RPM installed and used on FC38. It works except the DNS resolve config for the tun0 after VPN connection setup is not supported. I use a script to fix that. I might be able to work on the data capture if there is some guide or tools. I will check the gitlab issue first.
I tried openconnect-pulse-gui very quickly and hit the host checker can NOT pass.
FEDORA-2023-e8e59b49a6 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2023-e8e59b49a6
FEDORA-2023-d44bee1462 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-d44bee1462
FEDORA-2023-d44bee1462 has been pushed to the Fedora 38 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-d44bee1462` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-d44bee1462 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2023-e8e59b49a6 has been pushed to the Fedora 37 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-e8e59b49a6` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-e8e59b49a6 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2023-d44bee1462 has been pushed to the Fedora 38 stable repository. If problem still persists, please make note of it in this bug report.
Confirming that, after removing the 2 coprs I was using for this, doing a distro-sync, and rebooting, I can still successfully connect to my work's Okta-auth-protected cisco-based VPN with NetworkManager-openconnect in Gnome on fedora 38, without needing Cisco's Anyconnect installed. Thanks dwmw2!
FEDORA-2023-e8e59b49a6 has been pushed to the Fedora 37 stable repository. If problem still persists, please make note of it in this bug report.