-
Notifications
You must be signed in to change notification settings - Fork 399
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Does SAML work with using SBL/PLAP with OpenVPN GUI? #687
Comments
Apart from the fact that I am not sure if webauth/launching a browser works with PLAP/SBL, the UI normally starts OpenVPN with all the management-* options but also with |
I added the "setenv" directive to the Client Profile along with the management commands and same situation (OpenVPN GUI is not sending management 127.0.0.1 12345 |
I think what you are missing is restarting the process after the config has been edited with IV_SSO. To do this, restart the OpenVPNService.
Here is why: |
Hey @selvanair thanks. Now, I'm not getting that error but the SAML Authentication gets stuck here because there is no External Web Browser redirection so we can continue the SAML Authentication via IdP Login Page: How will that work if we're still before the Windows Login? |
Launching a browser is not supported from PLAP screen. CR_TEXT should work. For prestarted connections, OPEN_URL will work only after the user logs in and the GUI attaches to the running process. Edit: I started responding to this thread without reading the title or the initial question: No, SAML does not currently work from PLAP. |
@selvanair thanks for the clarification Is there any plan to add SAML working with SBL/PLAP? or not possible at all? |
No plans at my end. Opening a web browser should be possible, but doesn't look safe to me as everything runs as SYSTEM on logon screen. |
Hello @selvanair @lstipakov ,
I tested OpenVPN GUI with SBL/PLAP using PAM, LOCAL, LDAP, and RADIUS as Authentication Methods, and worked fine, however, this didn't work with SAML
This is what I noticed:
IV_SSO=openurl,webauth,crtext'
to my VPN Server:2024-05-07T13:45:36-0500 [stdout#info] [OVPN 1] OUT: "2024-05-07 18:45:36 181.236.101.224:49953 PUSH: Received control message: 'PUSH_REQUEST'"
2024-05-07T13:45:44-0500 [stdout#info] [OVPN 1] OUT: "2024-05-07 18:45:44 181.236.101.224:49953 PUSH: Received control message: 'PUSH_REQUEST'"
2024-05-07T13:45:47-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:45:47 181.236.101.224:51189 peer info: IV_VER=2.6.10'
2024-05-07T13:45:47-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:45:47 181.236.101.224:51189 peer info: IV_PLAT=win'
2024-05-07T13:45:47-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:45:47 181.236.101.224:51189 peer info: IV_TCPNL=1'
2024-05-07T13:45:47-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:45:47 181.236.101.224:51189 peer info: IV_MTU=1600'
2024-05-07T13:45:47-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:45:47 181.236.101.224:51189 peer info: IV_NCP=2'
2024-05-07T13:45:47-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:45:47 181.236.101.224:51189 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM'
2024-05-07T13:45:47-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:45:47 181.236.101.224:51189 peer info: IV_PROTO=990'
2024-05-07T13:45:47-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:45:47 181.236.101.224:51189 peer info: IV_LZO_STUB=1'
2024-05-07T13:45:47-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:45:47 181.236.101.224:51189 peer info: IV_COMP_STUB=1'
2024-05-07T13:45:47-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:45:47 181.236.101.224:51189 peer info: IV_COMP_STUBv2=1'
2024-05-07T13:45:47-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:45:47 181.236.101.224:51189 peer info: IV_HWADDR=c0:3c:59:8d:ba:5d'
2024-05-07T13:45:47-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:45:47 181.236.101.224:51189 peer info: IV_SSL=OpenSSL_3.2.1_30_Jan_2024'
2024-05-07T13:45:47-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:45:47 181.236.101.224:51189 peer info: IV_PLAT_VER=10.0,_amd64_executable'
2024-05-07T13:45:47-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:45:47 181.236.101.224:51189 peer info: IV_GUI_VER=OpenVPN_GUI_11.48.0.0'
2024-05-07T13:45:47-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:45:47 181.236.101.224:51189 peer info: IV_SSO=openurl,webauth,crtext'
2024-05-07T13:45:47-0500 [stdout#info] [OVPN 1] OUT: "2024-05-07 18:45:47 181.236.101.224:51189 TLS: Username/Password authentication deferred for username '[email protected]' "
management 127.0.0.1 12345
management-hold
management-query-passwords
I see that the OpenVPN GUI do not send
IV_SSO=openurl,webauth,crtext'
to my VPN Server:2024-05-07T13:46:09-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:46:09 181.236.101.224:52634 VERIFY OK: depth=0, CN=test1'
2024-05-07T13:46:09-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:46:09 181.236.101.224:52634 peer info: IV_VER=2.6.10'
2024-05-07T13:46:09-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:46:09 181.236.101.224:52634 peer info: IV_PLAT=win'
2024-05-07T13:46:09-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:46:09 181.236.101.224:52634 peer info: IV_TCPNL=1'
2024-05-07T13:46:09-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:46:09 181.236.101.224:52634 peer info: IV_MTU=1600'
2024-05-07T13:46:09-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:46:09 181.236.101.224:52634 peer info: IV_NCP=2'
2024-05-07T13:46:09-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:46:09 181.236.101.224:52634 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM'
2024-05-07T13:46:09-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:46:09 181.236.101.224:52634 peer info: IV_PROTO=990'
2024-05-07T13:46:09-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:46:09 181.236.101.224:52634 peer info: IV_HWADDR=c0:3c:59:8d:ba:5d'
2024-05-07T13:46:09-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:46:09 181.236.101.224:52634 peer info: IV_SSL=OpenSSL_3.2.1_30_Jan_2024'
2024-05-07T13:46:09-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:46:09 181.236.101.224:52634 peer info: IV_PLAT_VER=10.0,_amd64_executable'
2024-05-07T13:46:09-0500 [stdout#info] [OVPN 1] OUT: "2024-05-07 18:46:09 181.236.101.224:52634 TLS: Username/Password authentication deferred for username '[email protected]' "
2024-05-07T13:46:09-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:46:09 181.236.101.224:52634 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1'
2024-05-07T13:46:09-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:46:09 181.236.101.224:52634 TLS: tls_multi_process: initial untrusted session promoted to semi-trusted'
2024-05-07T13:46:09-0500 [stdout#info] VPN Auth Failed: 'websso' ['This profile requires web based SAML authentication, please upgrade to a web-based login capable client (IV_SSO=webauth)']
2024-05-07T13:46:09-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:46:09 MANAGEMENT: CMD 'client-deny 16 1 "AS auth failed" "This profile requires web based SAML authentication, please upgrade to a web-based login capable client (IV_SSO=webauth)"''
2024-05-07T13:46:09-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:46:09 MULTI: connection rejected: AS auth failed, CLI:This profile requires web based SAML authentication, please upgrade to a web-based login capable client (IV_SSO=webauth)'
2024-05-07T13:46:09-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:46:09 181.236.101.224:52634 Delayed exit in 5 seconds'
2024-05-07T13:46:09-0500 [stdout#info] [OVPN 1] OUT: "2024-05-07 18:46:09 181.236.101.224:52634 SENT CONTROL [UNDEF]: 'AUTH_FAILED,This profile requires web based SAML authentication, please upgrade to a web-based login capable client (IV_SSO=webauth)' (status=1)"
2024-05-07T13:46:09-0500 [stdout#info] [OVPN 1] OUT: "2024-05-07 18:46:09 181.236.101.224:52634 SENT CONTROL [test1]: 'AUTH_FAILED,This profile requires web based SAML authentication, please upgrade to a web-based login capable client (IV_SSO=webauth)' (status=1)"
Is this a bug?
The text was updated successfully, but these errors were encountered: