Doesn't print any cookie after Microsoft SAML process

[bmaehr]

webview: "https://vpn.host.de/remote/saml/start"
webview: "https://login.microsoftonline.com/12922538-ea53-4718-bee9-9d....29e/saml2?SAMLRequest=jZLLbtswEEV%2FReB........59%2Bu8urp8A&RelayState=magic%3D2-17382.......134e1&SigAlg=http%3A%2F%2Fwww.w3.org%2F2777%2F79%2Fxmldsig%23rsa-sha5&Signature=uvvRtsz......RAkQ%3D%3D"
webview: "https://login.microsoftonline.com/12922538-ea53-4718-bee9-9d....29e/login"
webview: "https://login.microsoftonline.com/common/SAS/ProcessAuth"
js: crbug/1173575, non-JS module files deprecated.
webview: "https://vpn.host.de/remote/saml/login"

This is from the Qt version but the electron version had the same problem as far as I have seen.

If I can provide any information to debug just ask.

[bmaehr]

--url-regex "/remote/saml/login" doesn't solve it

webview: "https://login.microsoftonline.com/common/SAS/ProcessAuth"
js: crbug/1173575, non-JS module files deprecated.
webview: "https://vpn.host.de/remote/saml/login"
webview: The current URL matches the given regex
Release of profile requested but WebEnginePage still not deleted. Expect troubles !

[gm-vm]

Release of profile requested but WebEnginePage still not deleted. Expect troubles !

Uh, never paid attention to this, I've just fixed it (3108564).

Anyway, you have to login from your preferred browser and check when and where the cookie is set.

You can also use this application with remote debugging enabled, you just need to set the QTWEBENGINE_REMOTE_DEBUGGING env variable (for some reason the command line argument is not working at the moment):

QTWEBENGINE_REMOTE_DEBUGGING=1234 openfortivpn-webview YOUR_ARGS

The application should print this:

DevTools listening on ws://127.0.0.1:1234/devtools/browser/52bdf6be-a221-4c85-91bf-84ccb9288056
Remote debugging server started successfully. Try pointing a Chromium-based browser to http://127.0.0.1:1234

Opening http://127.0.0.1:1234 will let you inspect the page. Check if there exists a cookie named SVPNCOOKIE somewhere. See this for more info https://developer.chrome.com/docs/devtools/application/cookies.

Unfortunately there isn't much I can do here, the application just adds a listener and prints the value of SVPNCOOKIE as soon as it is set.

[bmaehr]

There are a lot of cookies named ESTSAUTH*, esctx-2DpQ6PBmJU, buid, CCState, SignInStateCookie, fpc, x-ms-gateway-slice on the url https://login.microsoftonline.com/common/SAS/ProcessAuth which I think have all nothing to do with it.

Then a SAMLResponse is POSTed to https://vpn.host.de/remote/saml/login.
Decoding it with https://www.samltool.com/decode.php gives an XML document starting with

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="..." InResponseTo="..." ... >
...
</samlp:Response>

Only thing that could be something interesting is the value InResponseTo that looks like _793EC0B28A6DBBD01D255884968415FF

JFYI: I was not able to do the Qt-Remote Debugging. I was able to connect with chrome but in the browser window you see just an information which site you are remote debugging but not what is going on on this site.

[gm-vm]

I know FortiGate supports a different authentication mechanism. I don't know if it existed back when I implemented this application, but it allows to perform the authentication from any browser and pass back a session ID to the VPN client.

There are patches floating around to add support for this other authentication mechanism. You may want to try them:

openfortivpn:

• Saml external browser adrienverge/openfortivpn#1217
• Support SAML authentication adrienverge/openfortivpn#1241

openconnect:

• https://gitlab.com/openconnect/openconnect/-/merge_requests/551

I was not able to do the Qt-Remote Debugging. I was able to connect with chrome but in the browser window you see just an information which site you are remote debugging but not what is going on on this site.

Weird. In any case remote debugging is useful to debug application specific issues, which is not your case. It looks like things are working differently for you.