Page 1 of 1

SSO web authentication process

Posted: Fri Apr 29, 2022 8:49 am
by atoy40

we're implementing SSO authentication by using the new 2.5 feature (client pending + WEB_AUTH) but this is not very well documented.
First,: it seems impossible to configure a profile without username and password (username is mandatory when saving the profile), but by definition, there is no login/pass to setup in the client when using SSO, because they'll be provided trough the SSO login form. Any workarround ? (i"'ve seen in the viscosity client an option to disable login/passwd per profile)
then, on the webview itself laaunched by openvpn connect, is there anything to do, when auth process is done, to close the webview and returns to the client UI ? may be trought a window.postMessage handled by openvpn connect ?


Re: SSO web authentication process

Posted: Mon Aug 01, 2022 4:39 pm
by mkrauser
Hey atoy40,

I'm also trying to implement SSO with OpenVPN. Can you share details of your config?
What to do within the web-view is described here: ...

But I did not even manage to open the web-view correctly. I'm sending the WEBAUTH-Response, but so far the client does not open the url.


Re: SSO web authentication process

Posted: Thu Jan 26, 2023 5:11 pm
by atoy40
@mkrauser, are you using a client that support WEBAUTH, like openvpn-connect ?


Re: SSO web authentication process

Posted: Thu Jun 01, 2023 3:25 pm
by mkrauser
I've worked on this a few hours or even days, every now and then this is the current state:

This is the relevant line in the server.conf:

Code: Select all

auth-user-pass-verify /etc/openvpn/saml-test.php via-file
The saml-test.php currently just looks like this:

Code: Select all


file_put_contents($_SERVER['auth_pending_file'], "300\nopenurl\nWEB_AUTH:external:https://some-test-url");
I'm using openvpn-connect on MacOS. The Test-URL is opened in my Browser, but neither appEvent.postMessage(...) nor window.parent.postMessage(...) is working or results in any change whatsoever.

When I try to use internal or hidden mode, the log within openvpn-connect shows the WEB_AUTH response, but does not open the webpage according to the access-logs from my web-server.

If anybody had more success... sharing is caring ;-)