-
Notifications
You must be signed in to change notification settings - Fork 64
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
gp-saml-gui doesnt works on last palo alto updates (cookie is not in headers) #51
Comments
In fact, all of the other GP SAML server's I've seen embed the I made Perhaps we need to check both to be sufficiently robust? PRs to do this welcome.
I wouldn't be surprised if the omission of the HTTP header versions is a mistake, perhaps due to some middlebox that filters out unknown HTTP headers. I also wouldn't be surprised it this potential issue is already known to PAN, and if they make their servers emit both, and clients parse both, for this reason. |
We noticed the same issue in our network since today, likely there has been an update to some component that causes the changed responses. I wrote the PR above to keep checking for headers first, but also parse the body otherwise as a fallback. |
I faced this issue as well. It's already December, any plans to merge the fix? |
Fixes dlenski#51 [DL: Some GlobalProtect VPNs apparently return the crucial username and cookie result fields *only* in HTML comments and *not* in HTTP headers. In order to handle these cases correctly, we must parse the HTML comments in addition to the headers.] Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Fix login if SAML response fields are only in HTML comment, not in HTTP headers. Fixes #51
…ly in comments This modifies the fake GP server to have a 'saml_comments_only' option. If set, the SAML completion fields ('saml-username', 'prelogin-cookie', etc.) will be sent to the client *only* in a blob of XML wrapped in HTML comments, and *not* in HTTP headers. Some real GP servers are known to behave like this, and authentication handlers like 'gp-saml-gui' need to be able to handle this case correctly (see dlenski/gp-saml-gui#51 and dlenski/gp-saml-gui#59). Signed-off-by: Daniel Lenski <dlenski@gmail.com>
…ly in comments This modifies the fake GP server to have a 'saml_comments_only' option. If set, the SAML completion fields ('saml-username', 'prelogin-cookie', etc.) will be sent to the client *only* in a blob of XML wrapped in HTML comments, and *not* in HTTP headers. Some real GP servers are known to behave like this, and authentication handlers like 'gp-saml-gui' need to be able to handle this case correctly (see dlenski/gp-saml-gui#51 and dlenski/gp-saml-gui#59). Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Hi there: I was using gp-saml-gui to connect to my University Global Protect Vpn site until yesterday.
The behaviour is like this: I run the script
and, I can auth with my Microsoft Authenticator app on mobile and I see: Login succesful!
But after that, nothing happens.
On the console, last message is:
After a lot of researching, and running gp-saml-gui with -x parameter, If I open the login window with other browser I see that the cookie is embedded on the webpage as a comment, and is not returned on the Http headers. I think that this is the root of the problem:
I don't know what is the version running on the Vpn appliance as it depends on other Department, but I know that it was updated since two days ago. Now that I know that this is the problem, when I get the "Login succesful" window I press F12 and I copy the prelogin cookie :-(. Its so slow but it works..
I write this post if anybody has the same problem...
The text was updated successfully, but these errors were encountered: