SSO web authentication process

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
atoy40
OpenVpn Newbie
Posts: 4
Joined: Fri Apr 29, 2022 8:41 am

SSO web authentication process

Post by atoy40 » Fri Apr 29, 2022 8:49 am

Hello,

we're implementing SSO authentication by using the new 2.5 feature (client pending + WEB_AUTH) but this is not very well documented.
First,: it seems impossible to configure a profile without username and password (username is mandatory when saving the profile), but by definition, there is no login/pass to setup in the client when using SSO, because they'll be provided trough the SSO login form. Any workarround ? (i"'ve seen in the viscosity client an option to disable login/passwd per profile)
then, on the webview itself laaunched by openvpn connect, is there anything to do, when auth process is done, to close the webview and returns to the client UI ? may be trought a window.postMessage handled by openvpn connect ?

thanks
Anthony.

mkrauser
OpenVpn Newbie
Posts: 2
Joined: Mon Aug 01, 2022 4:35 pm

Re: SSO web authentication process

Post by mkrauser » Mon Aug 01, 2022 4:39 pm

Hey atoy40,

I'm also trying to implement SSO with OpenVPN. Can you share details of your config?
What to do within the web-view is described here:

https://github.com/OpenVPN/openvpn3/blo ... webauth.md

But I did not even manage to open the web-view correctly. I'm sending the WEBAUTH-Response, but so far the client does not open the url.

/Matthias

atoy40
OpenVpn Newbie
Posts: 4
Joined: Fri Apr 29, 2022 8:41 am

Re: SSO web authentication process

Post by atoy40 » Thu Jan 26, 2023 5:11 pm

@mkrauser, are you using a client that support WEBAUTH, like openvpn-connect ?

Anthony.

mkrauser
OpenVpn Newbie
Posts: 2
Joined: Mon Aug 01, 2022 4:35 pm

Re: SSO web authentication process

Post by mkrauser » Thu Jun 01, 2023 3:25 pm

I've worked on this a few hours or even days, every now and then this is the current state:

This is the relevant line in the server.conf:

Code: Select all

auth-user-pass-verify /etc/openvpn/saml-test.php via-file
The saml-test.php currently just looks like this:

Code: Select all

#!/usr/bin/php
<?php

file_put_contents($_SERVER['auth_pending_file'], "300\nopenurl\nWEB_AUTH:external:https://some-test-url");
I'm using openvpn-connect on MacOS. The Test-URL is opened in my Browser, but neither appEvent.postMessage(...) nor window.parent.postMessage(...) is working or results in any change whatsoever.

When I try to use internal or hidden mode, the log within openvpn-connect shows the WEB_AUTH response, but does not open the webpage according to the access-logs from my web-server.

If anybody had more success... sharing is caring ;-)

treb
OpenVpn Newbie
Posts: 2
Joined: Sun Dec 03, 2023 7:34 pm

Re: SSO web authentication process

Post by treb » Sun Dec 03, 2023 7:36 pm

Hello mkrauser,

Have you made any progress? I am also currently trying webauth and maybe you already have a working minimal example.

john5510
OpenVpn Newbie
Posts: 2
Joined: Fri Dec 08, 2023 8:17 am

Re: SSO web authentication process

Post by john5510 » Fri Dec 08, 2023 8:28 am

I have figured out how the webauth flow works

On the client config, I configured it to ask for username and password. This seems redundant to me, since user has to enter the credential again in SSO webpage, appreciate if anyone can point out how to launch SSO auth without this credential prompt.

On the server side, either in plugin or script of type auth-user-pass-verify,
When the user login, this plugin or script will be executed,

write the following lines to the location stated by environment variable "auth_pending_file"
300
webauth
WEB_AUTH::https://auth.mycompany.com/login?params

first line is the timeout in seconds, although the timeout seems didn't work also, the client still timeout after 60 seconds
second line is fixed string, just keep it
third line will contains the URL to redirect the VPN user to, together with whatever URL parameters you need

afterwards store the path in environment variable "auth_control_file", which will be used later to notify OpenVPN on the auth result
finally exit the plugin or script with exit code 2, which refers to deferred authentication.



After user successfully authenticated with the SSO, you have to implement your own way to communicate the auth result to the OpenVPN server, then whatever thing on the OpenVPN server receiving the result will write either 0 (auth failed) or 1 (auth success) into the file stated by environment variable "auth_control_file", the connection process will continue after the result is written.

john5510
OpenVpn Newbie
Posts: 2
Joined: Fri Dec 08, 2023 8:17 am

Re: SSO web authentication process

Post by john5510 » Sat Dec 09, 2023 11:27 am

The timeout of webauth or deferred auth seems is the minimum among:
1. the timeout value provided in auth_pending_file
2. the handshake window
3. the renegotiation timeout

treb
OpenVpn Newbie
Posts: 2
Joined: Sun Dec 03, 2023 7:34 pm

Re: SSO web authentication process

Post by treb » Tue Dec 12, 2023 10:06 am

Hello john5510,

thank you very much for your respond! The redirect to the webauth works, but the timout also doens't work for me. I got this logs

SENT CONTROL [username]: 'AUTH_PENDING,timeout 3000' (status=1)
SENT CONTROL [username]: 'INFO_PRE,WEB_AUTH:external:https://auth.mycompany.com/' (status=1)

I read in the docs, I have to use postMessage. Could you give me a good example, please? The docs are not very detailed.

Post Reply