gp-saml-gui doesnt works on last palo alto updates (cookie is not in headers) #51
Comments
In fact, all of the other GP SAML server's I've seen embed the I made Perhaps we need to check both to be sufficiently robust? PRs to do this welcome.
I wouldn't be surprised if the omission of the HTTP header versions is a mistake, perhaps due to some middlebox that filters out unknown HTTP headers. I also wouldn't be surprised it this potential issue is already known to PAN, and if they make their servers emit both, and clients parse both, for this reason. |
|
We noticed the same issue in our network since today, likely there has been an update to some component that causes the changed responses. I wrote the PR above to keep checking for headers first, but also parse the body otherwise as a fallback. |
|
I faced this issue as well. It's already December, any plans to merge the fix? |
Fixes dlenski#51 [DL: Some GlobalProtect VPNs apparently return the crucial username and cookie result fields *only* in HTML comments and *not* in HTTP headers. In order to handle these cases correctly, we must parse the HTML comments in addition to the headers.] Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Fix login if SAML response fields are only in HTML comment, not in HTTP headers. Fixes #51
…ly in comments
This modifies the fake GP server to have a 'saml_comments_only' option. If
set, the SAML completion fields ('saml-username', 'prelogin-cookie', etc.)
will be sent to the client *only* in a blob of XML wrapped in HTML comments,
and *not* in HTTP headers.
Some real GP servers are known to behave like this, and authentication
handlers like 'gp-saml-gui' need to be able to handle this case correctly
(see dlenski/gp-saml-gui#51 and
dlenski/gp-saml-gui#59).
Signed-off-by: Daniel Lenski <dlenski@gmail.com>
…ly in comments
This modifies the fake GP server to have a 'saml_comments_only' option. If
set, the SAML completion fields ('saml-username', 'prelogin-cookie', etc.)
will be sent to the client *only* in a blob of XML wrapped in HTML comments,
and *not* in HTTP headers.
Some real GP servers are known to behave like this, and authentication
handlers like 'gp-saml-gui' need to be able to handle this case correctly
(see dlenski/gp-saml-gui#51 and
dlenski/gp-saml-gui#59).
Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Hi there: I was using gp-saml-gui to connect to my University Global Protect Vpn site until yesterday.
The behaviour is like this: I run the script
and, I can auth with my Microsoft Authenticator app on mobile and I see: Login succesful!
But after that, nothing happens.
On the console, last message is:
After a lot of researching, and running gp-saml-gui with -x parameter, If I open the login window with other browser I see that the cookie is embedded on the webpage as a comment, and is not returned on the Http headers. I think that this is the root of the problem:
I don't know what is the version running on the Vpn appliance as it depends on other Department, but I know that it was updated since two days ago. Now that I know that this is the problem, when I get the "Login succesful" window I press F12 and I copy the prelogin cookie :-(. Its so slow but it works..
I write this post if anybody has the same problem...
The text was updated successfully, but these errors were encountered: