Would openconnect (GP) work with Azure AD and Microsoft Authenticator App?

[stipx]

Hi,

at our company our IT department is switching to Azure AD with Microsoft Authenticator App (in notification mode). I would suspect that an URL is polled which returns the status of the auth app. Basically the client would need the information if the approval button got clicked at the app.

Has somebody any experience with openconnect (wich global protect) and such solutions?

Thanks

[dlenski]

First of all, I know nothing about Azure AD, and can't keep up with the explosion of federated single-sign-on providers out there. Please point other users to relevant technical documentation of how these work, if possible. Seems that Azure AD uses SAML like most other services: https://docs.microsoft.com/en-us/azure/active-directory/develop/single-sign-on-saml-protocol

Based on the way that other similar services work (Okta in particular, SAML in general), you would need some kind of script to do the HTTPS-based "authentication dance" and pass the resulting authentication tokens to openconnect. See #116 and #118 and #122 for more discussion.

Lastly, is this question actually specific to the GlobalProtect protocol? Probably not… in which case it's more appropriate for the openconnect-devel list.

[stipx]

Thanks Dan for pointing me in the right directions. We'll see how this whole thing at our company will go further. There are currently some discussions going on regarding this topic.

And most likely I'll need to create a script for the auth dance. Let's see.

[stipx]

I just tried it and it works :)

[JamieMagee]

@stipx Can you share your script?

[stipx]

@JamieMagee there is no script. Basically it works like this:

• The login POST call is done
• The call waits until the notification in the auth app got answered
• the call returns with a successful login if "approve" was answered
• openconnect continues as expected

So my whole concerns were invalid.

[dlenski]

@stipx, thanks for the explanation and the useful reference.

This is similar to how Symantec VIP access works in its "smartphone app mode"; it sends an "Approve/Deny?" request to the user's smartphone when the user tries to login, and then the login server blocks until the user responds on the smartphone.

[rlueder]

My company recently switch from Okta to Microsoft Authenticator causing the standard Gnome VPN client to not connect anymore, for those with the same issue @vlaci's https://github.com/vlaci/openconnect-sso solved the issue.