Connecting to a GlobalProtect using a SAML Microsoft AD Authentication Server.

VPN choice varies from institution to institution, and as I migrate from OpenVPN to Palo Alto's GlobalProtect, I found myself not wishing to use the provided, close source Linux client. GlobalProtect VPNs are supported through the openconnect package, however authentication via SAML is not readily supported. Luckily, the open source community being what it is, someone has already addressed this issue with their own package, gp-saml-gui, which performs the browser based SAML authentication and captures the authentication cookie for use with openconnect. gp-saml-gui is a wonderful package, but unfortunately doesn't work out of the box with Microsoft Active Directory (see this issue here).

Using the discussion in that issue, I put together a basic script to authenticate with the GlobalProtect server. Be sure to replace with your correct GlobalProtect server address. Instructions to install gp-saml-gui can be found on its GitHub page. Once run, the script will open a window to authenticate with the SAML server, and then upon successful authentication, connect to the GlobalProtect server. The script will stay open once connected, and to disconnect, simply kill the running script. While connected, all of your traffic will go through the VPN. If you encounter issues, adding -vvv to either the gp-saml-gui or openconnect commands will make the corresponding command output verbose messages.

eval $( gp-saml-gui --gateway )
echo "$COOKIE" | sudo -E openconnect --protocol=gp -u "$USER" --passwd-on-stdin "$HOST" --usergroup=gateway:prelogin-cookie
The above script should work without issue, but due to some modern Linux distributions enforcing 'minimum security policies', the TLS handshake may not complete with the SAML authentication server due to the VPN using older TLS versions (see this issue here). On Fedora 34, this can be disabled by executing sudo update-crypto-policies --set LEGACY. If you encounter this issue, see the linked GitHub Issue, or search for how to disable the minimum security policy on your distribution. Unfortunately, if your institution decides to use a VPN with an outdated TLS version, you have to disable the minimum security policy to successfully authenticate.