OpenVPN Support Forum

Hello,

we're implementing SSO authentication by using the new 2.5 feature (client pending + WEB_AUTH) but this is not very well documented.
First,: it seems impossible to configure a profile without username and password (username is mandatory when saving the profile), but by definition, there is no login/pass to setup in the client when using SSO, because they'll be provided trough the SSO login form. Any workarround ? (i"'ve seen in the viscosity client an option to disable login/passwd per profile)
then, on the webview itself laaunched by openvpn connect, is there anything to do, when auth process is done, to close the webview and returns to the client UI ? may be trought a window.postMessage handled by openvpn connect ?

thanks
Anthony.

Hey atoy40,

I'm also trying to implement SSO with OpenVPN. Can you share details of your config?
What to do within the web-view is described here:

https://github.com/OpenVPN/openvpn3/blo ... webauth.md

But I did not even manage to open the web-view correctly. I'm sending the WEBAUTH-Response, but so far the client does not open the url.

/Matthias

@mkrauser, are you using a client that support WEBAUTH, like openvpn-connect ?

Anthony.

I've worked on this a few hours or even days, every now and then this is the current state:

This is the relevant line in the server.conf:
The saml-test.php currently just looks like this:
I'm using openvpn-connect on MacOS. The Test-URL is opened in my Browser, but neither appEvent.postMessage(...) nor window.parent.postMessage(...) is working or results in any change whatsoever.

When I try to use internal or hidden mode, the log within openvpn-connect shows the WEB_AUTH response, but does not open the webpage according to the access-logs from my web-server.

If anybody had more success... sharing is caring

Hello mkrauser,

Have you made any progress? I am also currently trying webauth and maybe you already have a working minimal example.

I have figured out how the webauth flow works

On the client config, I configured it to ask for username and password. This seems redundant to me, since user has to enter the credential again in SSO webpage, appreciate if anyone can point out how to launch SSO auth without this credential prompt.

On the server side, either in plugin or script of type auth-user-pass-verify,
When the user login, this plugin or script will be executed,

write the following lines to the location stated by environment variable "auth_pending_file"
300
webauth
WEB_AUTH::https://auth.mycompany.com/login?params

first line is the timeout in seconds, although the timeout seems didn't work also, the client still timeout after 60 seconds
second line is fixed string, just keep it
third line will contains the URL to redirect the VPN user to, together with whatever URL parameters you need

afterwards store the path in environment variable "auth_control_file", which will be used later to notify OpenVPN on the auth result
finally exit the plugin or script with exit code 2, which refers to deferred authentication.



After user successfully authenticated with the SSO, you have to implement your own way to communicate the auth result to the OpenVPN server, then whatever thing on the OpenVPN server receiving the result will write either 0 (auth failed) or 1 (auth success) into the file stated by environment variable "auth_control_file", the connection process will continue after the result is written.

The timeout of webauth or deferred auth seems is the minimum among:
1. the timeout value provided in auth_pending_file
2. the handshake window
3. the renegotiation timeout

Hello john5510,

thank you very much for your respond! The redirect to the webauth works, but the timout also doens't work for me. I got this logs

SENT CONTROL [username]: 'AUTH_PENDING,timeout 3000' (status=1)
SENT CONTROL [username]: 'INFO_PRE,WEB_AUTH:external:https://auth.mycompany.com/' (status=1)

I read in the docs, I have to use postMessage. Could you give me a good example, please? The docs are not very detailed.