I have a Pulse Secure VPN that is using SAML authentication by Okta. Everything works fine if I use native Pulse Secure client. I am interested in getting openconnect to work, but be default it does not support any kind of MFA.
I was able to find how SAML works with Palo Altos, for example - user gets to a web page where they login and as part of response they get a cookie with specific name. Then there’s a specific url on palo alto where vpn client connects to using that cookie as a password. You can follow the whole process manually, you can write a script that will handle it for you, but ultimately you can make palo alto work with openconnect and saml.
I can’t seem to find anywhere how exactly interaction between Pulse and SAML is happening. I am assuming process should be similar. Before I start reverse engineering it all with packet captures, I figured I’d ask - maybe somebody knows how it all works and can share their knowledge? It would greatly simplify the process of writing a script to make openconnect work with pulse secure.
Edit: Thanks to the link from /u/OhMyInternetPolitics I was able to make it work. Making a CLI-only tool is certainly possible, but it would be really hard to make a generic one as you have to open up a web browser and type in your username/password in there, so each different provider will have different HTML form IDs. However if I just open up a web browser and wait for user to do all of their inputs, then the code is actually trivial.
Login process is as follows: go to SAML url, get redirected, complete your login, password, 2fa. At the end, receive cookie with the name DSID. Then establish connection with openconnect, using value of that cookie for authentication (-C switch). I am using selenium framework to fire up chrome (so you will need to get chromedriver).
The script below is obviously extremely rough. I do not plan on doing more work on it, as this was just an exercise for fun. But this should give you good starting point if you need to use openconnect with saml for pulse secure.
from selenium import webdriver
from selenium.webdriver.support.ui import WebDriverWait
import subprocess
host = "your.vpn.com" #could be "your.vpn.com/saml" if you have different authentication endpoints
user = "username"
# declare webdriver to control browser. You can use different browser if you prefer
driver = webdriver.Chrome("./chromedriver")
# Configure wait, 60 seconds should be more than enough to enter all the credentials
wait = WebDriverWait(driver, 60)
# open up the VPN web page
driver.get("https://"+host)
# Keep checking for cookie to appear in the web browser (after user is done with authentication process)
dsid = wait.until(lambda driver: driver.get_cookie("DSID"))
# We don't need browser once we got cookie
driver.quit()
# Run a shell command to start openconnect
subprocess.run(["openconnect", "-C", dsid["value"], "--protocol=pulse", "-u", user, host])
