VPN choice varies from institution to institution, and as I migrate from OpenVPN to Palo Alto's GlobalProtect, I found myself not wishing to use the provided, close source Linux client. GlobalProtect VPNs are supported through the openconnect
package, however authentication via SAML is not readily supported. Luckily, the open source community being what it is, someone has already addressed this issue with their own package, gp-saml-gui
, which performs the browser based SAML authentication and captures the authentication cookie for use with openconnect
is a wonderful package, but unfortunately doesn't work out of the box with Microsoft Active Directory (see this issue here
Using the discussion in that issue, I put together a basic script to authenticate with the GlobalProtect server. Be sure to replace globalprotect.example.edu
with your correct GlobalProtect server address. Instructions to install gp-saml-gui can be found on its GitHub page. Once run, the script will open a window to authenticate with the SAML server, and then upon successful authentication, connect to the GlobalProtect server. The script will stay open once connected, and to disconnect, simply kill the running script. While connected, all of your traffic will go through the VPN. If you encounter issues, adding -vvv
to either the gp-saml-gui
commands will make the corresponding command output verbose messages.
eval $( gp-saml-gui --gateway globalprotect.example.edu )
echo "$COOKIE" | sudo -E openconnect --protocol=gp -u "$USER" --passwd-on-stdin "$HOST" --usergroup=gateway:prelogin-cookie
The above script should work without issue, but due to some modern Linux distributions enforcing 'minimum security policies', the TLS handshake may not complete with the SAML authentication server due to the VPN using older TLS versions (see this issue here
). On Fedora 34, this can be disabled by executing sudo update-crypto-policies --set LEGACY
. If you encounter this issue, see the linked GitHub Issue, or search for how to disable the minimum security policy on your distribution. Unfortunately, if your institution decides to use a VPN with an outdated TLS version, you have to disable the minimum security policy to successfully authenticate.