-
Notifications
You must be signed in to change notification settings - Fork 64
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix login if saml response is in body comment #59
Conversation
tested this within our company and it works now |
Any further updates or review comments on this, before it could get merged? @dlenski |
Just chiming in that one of the VPNs I've been using stopped working overnight, and it turns out this was the issue, and this PR fixed it! |
I hope this will be merged eventually. |
Thank you @ByteCommander for your patience and refinement here. I tweaked the PR slightly (squash commits, cleanup), and tested it against OpenConnect's
|
Fixes dlenski#51 [DL: Some GlobalProtect VPNs apparently return the crucial username and cookie result fields *only* in HTML comments and *not* in HTTP headers. In order to handle these cases correctly, we must parse the HTML comments in addition to the headers.] Signed-off-by: Daniel Lenski <dlenski@gmail.com>
This is a workaround for timing/race conditions.
…ly in comments This modifies the fake GP server to have a 'saml_comments_only' option. If set, the SAML completion fields ('saml-username', 'prelogin-cookie', etc.) will be sent to the client *only* in a blob of XML wrapped in HTML comments, and *not* in HTTP headers. Some real GP servers are known to behave like this, and authentication handlers like 'gp-saml-gui' need to be able to handle this case correctly (see dlenski/gp-saml-gui#51 and dlenski/gp-saml-gui#59). Signed-off-by: Daniel Lenski <dlenski@gmail.com>
…ly in comments This modifies the fake GP server to have a 'saml_comments_only' option. If set, the SAML completion fields ('saml-username', 'prelogin-cookie', etc.) will be sent to the client *only* in a blob of XML wrapped in HTML comments, and *not* in HTTP headers. Some real GP servers are known to behave like this, and authentication handlers like 'gp-saml-gui' need to be able to handle this case correctly (see dlenski/gp-saml-gui#51 and dlenski/gp-saml-gui#59). Signed-off-by: Daniel Lenski <dlenski@gmail.com>
fixes #51
If there are no SAML and/or prelogin-cookie related headers found in the server responses, this PR adds the functionality to check the response body for those values in embedded XML documents inside any HTML body comments.