PAGP (Palo Alto Global Protect) with SAML authentication is broken on Ubuntu desktop
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
intel |
In Progress
|
High
|
Unassigned | ||
gp-saml-gui (Ubuntu) |
Fix Released
|
Undecided
|
Shane McKee | ||
Focal |
Fix Released
|
Undecided
|
Shane McKee | ||
Jammy |
Fix Released
|
Undecided
|
Shane McKee | ||
Lunar |
Fix Released
|
Undecided
|
Shane McKee | ||
Mantic |
Fix Released
|
Undecided
|
Shane McKee |
Bug Description
SRU Justification:
[ Impact ]
While trying to connect to the Palo Alto Global Protect (PAGP) VPN, gp-saml-gui hangs after authentication. Additionally, gp-saml-gui is not even available for 20.04 LTS users.
This fixes the first issue by backporting the following patch to each version of this package:
https:/
gp-saml-gui expects lowercase HTTP headers, so this patch allows gp-saml-gui to handle mixed-case headers as well.
It fixes the second issue by creating a gp-saml-gui focal package.
[ Test Plan ]
Assumptions:
1. User has gp-saml-gui installed
2. User has valid PEM-encoded client certificate at '~/.cert/
3. Server is configured to use client certificate for authentication
4. Server is configured to also use Microsoft SAML for authentication
5. Server does not require "unsafe legacy negotiation" or user has applied appropriate workaround (see: https:/
6. Server is located at ${VPN_URL}
Instructions:
1. Run the following command from the shell: gp-saml-gui -g -c ~/.cert/
2. Authenticate in the pop-up window (see 'login.png'); this might consist of:
- Login e-mail
- Login password
- OTP code
3. Pop-up window changes to "Login Successful!" and stays there indefinitely (see 'login_
[ Where problems could occur ]
* The patch is pretty innocuous looking and already exists upstream, but if it breaks
functionality, it could break authentication for all current users of this package
and prevent anyone from accessing their VPNs.
* Any backport which does not take all of the preceding patches risks missing
some required patches in between.
[ Other Info ]
* focal does not yet have a gp_saml_gui package, this is the initial upload on partner request (same version different version number than jammy)
* kinetic/22.10 is ignored, because it went EOL on July 20th, 2023
* fix is the same and applies as is to all further affected Ubuntu releases
* The debhelper-compat dependency version had to be downgraded to 12 in
debian/control for Focal since that is the version we have there.
--- Original Description ---
When using 'gp-saml-gui' in order to connect to the Palo Alto Global Protect (PAGP) VPN, 'gp-saml-gui' hangs after a successful authentication.
This appears to be due to bug in 'gp-saml-gui' which was triggered as a result of server-side changes in PAGP;
'gp-saml-gui' expects the HTTP headers returned by the PAGP server to be in lowercase format, but the headers are being returned in mixed-case format.
The HTTP specification requires headers to be interpreted in a case-insensitive manner.
This upstream patch in 'gp-saml-gui' fixes the issue: https:/
Manually applying the change in the patch to my system fixes the issue.
Without applying the patch, 'gp-saml-gui' cannot connect to the VPN server and is thus broken.
This bug appears to fall under the Stable Release Update (SRU) criteria of a "High-impact bug", because an update needs to be applied to the package due to a change in the PAGP VPN server which causes the current version to cease working.
I therefore request that the aforementioned patch be applied to the stable 'gp-saml-gui' package.
Changed in intel: | |
importance: | Undecided → High |
affects: | ubuntu → linux (Ubuntu) |
affects: | linux (Ubuntu) → gp-saml-gui (Ubuntu) |
Changed in gp-saml-gui (Ubuntu): | |
assignee: | nobody → Shane McKee (mckeesh) |
status: | New → Confirmed |
summary: |
- gp-saml-gui hangs after successful authentication + PAGP (Palo Alto Global Protect) with SAML authentication is broken on + Ubuntu desktop |
Changed in intel: | |
status: | New → Confirmed |
Changed in gp-saml-gui (Ubuntu Lunar): | |
assignee: | nobody → Shane McKee (mckeesh) |
Changed in gp-saml-gui (Ubuntu Focal): | |
assignee: | nobody → Shane McKee (mckeesh) |
Changed in gp-saml-gui (Ubuntu Jammy): | |
assignee: | nobody → Shane McKee (mckeesh) |
information type: | Private → Public |
description: | updated |
description: | updated |
tags: |
added: verification-done-jammy verification-done-lunar removed: verification-needed-jammy verification-needed-lunar |
tags: | added: verification-failed-focal |
Hello, Bun K Tan.
Do you have more details on how to test and reproduce the problem so we can validate if the fix is really working?
Thank you!