Bug 2107412 - OpenConnect cannot open browser to complete SAML auth
Summary: OpenConnect cannot open browser to complete SAML auth
Alias: None
Product: Fedora
Classification: Fedora
Component: openconnect
Version: 36
Hardware: x86_64
OS: Linux
Target Milestone: ---
Assignee: David Woodhouse
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2022-07-14 23:31 UTC by Patrick Lang
Modified: 2022-07-17 01:11 UTC (History)
3 users (show)

Fixed In Version: openconnect-9.01-3.fc36
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2022-07-17 01:11:16 UTC
Type: Bug

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 2048406 0 unspecified CLOSED Update openconnect 2022-07-14 23:31:08 UTC

Description Patrick Lang 2022-07-14 23:31:09 UTC
Description of problem:

I was just trying out the latest OpenConnect 9.0.1 and corresponding NetworkManager-openconnect update (2048406). That added support for SAML based logins, which is helpful.

I tried it out, and unfortunately I was met with an error:
Failed to spawn external browser for https://(path to my SAML-enabled AnyConnect profile)

If I manually visit that link while the nm-openconnect dialog is up and complete the SAML login, then the browser posts back to OpenConnect's endpoint (localhost:29786), and the VPN connection completes successfully.

This is consistent with a similar issue on Arch described at https://gitlab.com/openconnect/openconnect/-/issues/454 . They pointed to the missing xdg-open support in the build as the culprit.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Get a VPN connection using SAML-based authentication
2. Create a connection in Gnome-NetworkManager, using the https URL in the Gateway. Select VPN protocol "Cisco AnyConnect or OpenConnect"
3. Leave remaining fields empty
4. Try to connect using network manager. Click "Login"

Actual results:
"Failed to spawn external browser for <omitted private URL>"

Expected results:
I would expect it to open a browser window (via xdg-open) to complete the SAML auth.

Comment 1 Patrick Lang 2022-07-14 23:49:36 UTC
I looked at the build logs: https://kojipkgs.fedoraproject.org//packages/openconnect/9.01/2.fc36/data/logs/x86_64/build.log

and saw that the configure script did not find xdg-open:

 checking for xdg-open... checking for xdg-open... no

Comment 2 Nikos Mavrogiannopoulos 2022-07-15 06:20:42 UTC
Let me try to fix that.

Comment 3 Fedora Update System 2022-07-15 06:30:30 UTC
FEDORA-2022-8eb408a4dc has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-8eb408a4dc

Comment 4 Patrick Lang 2022-07-15 18:16:38 UTC
Thanks! I tested that out and added feedback

Comment 5 Fedora Update System 2022-07-16 01:12:17 UTC
FEDORA-2022-8eb408a4dc has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-8eb408a4dc`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-8eb408a4dc

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 6 Fedora Update System 2022-07-17 01:11:16 UTC
FEDORA-2022-8eb408a4dc has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.