Integrate with NetworkManager

[yuezk]

Sorry for taking so long to get back to you. There are two issues. Please let me know, if I should split these into two reports.

Firs issue regarding using Network Manager. Here is the log that I get when I try to connect using Network Manager.

POST https://ras.cf.ac.uk/ssl-vpn/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Linux
Attempting to connect to server 131.251.255.229:443
Connected to 131.251.255.229:443
SSL negotiation with ras.cf.ac.uk
Connected to HTTPS on ras.cf.ac.uk with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
Got HTTP response: HTTP/1.1 200 OK
Date: Mon, 19 Feb 2024 10:15:42 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 1544
Connection: keep-alive
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: SESSID=6bf7bd7e-8dee-4848-b471-c69b7d0ca56e; Path=/; HttpOnly; Secure
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
HTTP body length: (1544)
SAML REDIRECT authentication is required via https://login.microsoftonline.com/bdb74b30-9568-4856-bdbf-06759778fcbc/saml2?SAMLRequest=hVHLTsMwEPyVyPe8XOdlNZFCe6BSEVETOHBBjuO0FoldvA7i80lbEOVSjrs7O7MzuwQ2DkdaTvagduJ9EmCdz3FQQM%2BDHE1GUc1AAlVsFEAtp3X5sKXYC%2BjRaKu5HpBTAghjpVYrrWAahamF%2BZBcPO22OTpYewTq%2B4aBx3uPcW96o4Qs%2FBMRDvy68stVjZz1LC4VO9H8Lg16L5U3Sm406N5qNUglPK5Hv%2B3ahLSLwM2iOHVJGsXu3OrdIE6iLEnSnrfcP7nAyNmsc%2FSaxISxqI%2B7TGAiwrbr%2BqTDPEtZGnQxCWcYwCQ2CixTNkc4wMQNsBtmTRjQMKIEvyCn%2BjZ9J1Un1f52Qu0FBPS%2BaSq3eqwb5DwLA2eLMwAVy9OF9CxsrpK%2FTct%2B4kbF%2F%2BEu%2FSuJ4lL9%2FXjxBQ%3D%3D&RelayState=6OEFAKUOnWU2YmY3YmQ3ZS04ZGVlLTQ4NDgtYjQ3MS1jNjliN2QwY2E1NmU%3D
When SAML authentication is complete, specify destination form field by appending :field_name to login URL.
Failed to parse XML server response
Response was:
<?xml version="1.0" encoding="UTF-8" ?>
<prelogin-response>
<status>Success</status>
<ccusername></ccusername>
<autosubmit>false</autosubmit>
<msg></msg>
<newmsg></newmsg>
<license>yes</license>
<authentication-message>Enter login credentials</authentication-message>
<username-label>Username</username-label>
<password-label>Password</password-label>
<panos-version>1</panos-version>
<saml-default-browser>yes</saml-default-browser>
<cas-auth></cas-auth>
<saml-auth-status>0</saml-auth-status>
<saml-auth-method>REDIRECT</saml-auth-method>
<saml-request-timeout>600</saml-request-timeout>
<saml-request-id>0</saml-request-id>
<saml-request>aHR0cHM6Ly9sb2dpbi5taWNyb3NvZnRvbmxpbmUuY29tL2JkYjc0YjMwLTk1NjgtNDg1Ni1iZGJmLTA2NzU5Nzc4ZmNiYy9zYW1sMj9TQU1MUmVxdWVzdD1oVkhMVHNNd0VQeVZ5UGU4WE9kbE5aRkNlNkJTRVZFVE9IQkJqdU8wRm9sZHZBN2k4MGxiRU9WU2pyczdPN016dXdRMkRrZGFUdmFnZHVKOUVtQ2R6M0ZRUU0lMkJESEUxR1VjMUFBbFZzRkVBdHAzWDVzS1hZQyUyQmpSYUt1NUhwQlRBZ2hqcFZZcnJXQWFoYW1GJTJCWkJjUE8yMk9UcFlld1RxJTJCNGFCeDN1UGNXOTZvNFFzJTJGQk1SRHZ5NjhzdFZqWnoxTEM0Vk85SDhMZzE2TDVVM1NtNDA2TjVxTlVnbFBLNUh2JTJCM2FoTFNMd00yaU9IVkpHc1h1M09yZElFNmlMRW5TbnJmY1A3bkF5Tm1zYyUyRlNheElTeHFJJTJCN1RHQWl3cmJyJTJCcVREUEV0WkduUXhDV2NZd0NRMkNpeFROa2M0d01RTnNCdG1UUmpRTUtJRXZ5Q24lMkJqWjlKMVVuMWY1MlF1MEZCUFMlMkJhU3EzZXF3YjVEd0xBMmVMTXdBVnk5T0Y5Q3hzcnBLJTJGVGN0JTJCNGtiRiUyRiUyQkV1JTJGU3VKNGxMOSUyRlhqeEJRJTNEJTNEJlJlbGF5U3RhdGU9Nk9FRkFLVU9uV1UyWW1ZM1ltUTNaUzA0WkdWbExUUTRORGd0WWpRM01TMWpOamxpTjJRd1kyRTFObVUlM0Q=</saml-request>
<auth-api>no</auth-api><region>GB</region>
</prelogin-response>

Network Manager does not manage to open a browser window for MFA. So I'm guessing that the relevant display variables are not being passed on. Is there a way to include these in Network Manager?

Originally posted by @gonneman in #316 (comment)

[yuezk]

Not sure whether it is related to the DISPLAY variable.

In 1.x, I was planning to integrate with NetworkManager. Also tried to understand the code of https://gitlab.gnome.org/GNOME/NetworkManager-openconnect. As I remember, openconnect provides some hooks that the NetworkManager-openconnect can implement to customize the authenticator.

[gonneman]

Is there any information that I can provide that would help with this?

[yuezk]

Currently, I'm not planning to integrate with NetworkManager in 2.x, and I'm not familiar with the NetworkManager-openconnect project. You should raise an issue there to see if they could provide help.

[ahsand97]

To connect with NetworkManager actually is not that hard, I managed to create this script that automatically do all the necessary steps to connect to a GP VPN using openconnect and NetworkManager(nmcli), I think you can integrate that into your application and have an option like "Connect using NetworkManager", so the users can choose if connect directly just using plain openconnect or manage their connections using NetworkManager