Support SAML authentication #1241
Conversation
These changes were taken from the original author and all changes unrelated to SAML were removed.
Rainer-Keller
force-pushed
the
master
branch
from
5ac02fb to
4db8b39
Compare
|
|
I've extracted only the SAML feature from your branch for easier review. The configuration options for dns and route overwrite I did not adopt. These options may go in as a separate pull request. |
|
I will wait for this to be merged first |
Rainer-Keller
force-pushed
the
master
branch
from
4db8b39 to
0e9f255
Compare
Let's see how it goes... |
Rainer-Keller
force-pushed
the
master
branch
2 times, most recently
from
412e692 to
191099c
Compare
|
How does this compare to #1217? |
At a first glance it looks like both MRs are doing about the same. |
|
Not sure if something changed since I posted this comment |
It hasn't AFAICT, but all I get from your comment is that it's an independently developed alternative, and that you have implemented some additional features. Now, @Rainer-Keller has put some effort into breaking this up into manageable pieces, so I thought that there was some reason why this alternative implementation was deemed better. Hopefully, in the near future, I'll have some time to try out one or the other implementation. I'm not convinced having two to test is better than one 😅 |
|
@exzombie Yours looks fine as well. It has the extra option to pass the auth ID from the command line. But not sure of what use that is. If would be good to get some feedback from a maintainer which of these changes has the highest chance to get in. Otherwise we'll have double effort. |
There seems to be some confusion, that MR is not mine, it is from @filippor. And are you sure there's a third one? Anyway, thanks for reviewing that MR; I haven't taken the time yet, I'm still waiting for some prerequisites to fall into place. I hope we'll be able to move the SAML story forward, and that FortiClient updates won't break EMS, but that's a different ball of hair ... |
|
Actually, this pull request looks quite clean to me. I have been hesitant to dependencies on too many external tools, and also workflows involving sudo and pipes. Although I haven't recapitulated all discussions in the previous pull requests, and honestly I didn't do a detailed code review of them, I would still vote for this one. The reason for me is, that @Rainer-Keller has dropped several unrelated changes, and thereby has made the change much more readable and understandable. There are also a couple of potentially security related fixes included in this PR, compared to the original one. |
|
@exzombie
Any details on what prerequisites that are?
There are solutions out there that seems to use a special built browser tool to extract the SAML id and forward this to openfortivpn.
Pipes have been used in the original MR from @dsl400 , but these were unrelated to SAML and I have removed them. This would be my summary of the two PRs
If we all agree it is my PR that it the preferred candidate, then I can integrate the features from #1217 here as well. |
Our internal stuff, mostly, and Fortinet dragging their feet with supporting Ubuntu 24.04. So, nothing you need to bother yourself with.
Ah, ok. Just making sure I haven't missed another attempt at what I consider a proper SAML implementation. |
|
Hello I create the pull request #1217 when I found the way to implement it using external browser. I'm not a c developer. Thanks for the code review. If it is needed I will fix the issue. I have no problems if this one will be merged. But I will wait for a word from a maintainer to complete my PR. It is working as is for my needs |
There was a problem hiding this comment.
Hey! Thanks again for taking the time to push this feature forward. I'm happy with the simplicity of the approach, the "HTTP server" is really lightweight. That said, dealing with strings in C is one of the things I personally hate quite a bit, and the approach taken in the HTTP server does not convince me that the code is safe. I made some suggestions, hope you find them helpful.
src/http_server.c
Outdated
| return -1; | ||
| } | ||
|
|
||
| strncpy(id, &request[id_start], id_length); |
There was a problem hiding this comment.
I'm confused here. id_length is determined by looking for a space. Then, you use this length with strncpy, which will not insert a null terminator at id[id_length-1]. And yet, the data in id is expected to be null terminated, because it's used with strlen in http.c. If this code works, I guess it's because id happens to be initialized to zeros. But we can't rely on that.
I suggest using memcpy and adding a null at the end explicitly.
There was a problem hiding this comment.
This section was taken from the original author. I've replaced it with a completely different approach.
Rainer-Keller
force-pushed
the
master
branch
3 times, most recently
from
8791318 to
a91b087
Compare
Rainer-Keller
force-pushed
the
master
branch
2 times, most recently
from
2727d74 to
67769e6
Compare
In the initial implementation there were still some issues that needed to be fixed. One main improvement is that the http server thread does not run the tunnel thread. Instead the http server is first shut down and then the tunnel is started as usual.
Fix compiler warnings about comparing signed with unsigned integers.
|
Is there a way to get to know if/when the PR can go forward? I am fine with everything, but would be nice to know at least. |
|
while trying to use this inside openwrt I found that is actually very fiddly to route traffic from lan to 127.0.0.1 |
I had this in an earlier version of this pull request, but then realized INADDR_ANY does open the port to be connectable by everyone in your local network. In case you are on a public WiFi, you would need to protect this port from strangers trying to get into your connection setup. Hence I changed this to be available only on the local machine. When I am using Fortinet, it redirects directly to localhost. |
|
I am trying to run the vpn client in my router as a service because the windows client does not allow me to configure split tunneling and the vpn connection is sometimes very slow. |
Having this as a configuration option would be possible. Let me propose another option. Maybe you have already tried this, but if not it would work without any changes: This will make ssh listen on your local machine on port 8020 (first 8020:), any connection to this port will be tunneled by ssh to the machine your are logged in to, and on the remote machine it will be connecting to |
|
Thanks for the idea. Exposing port 8020 on my pc has to be done anyway to finish the authentication. |
|
Does this mean it works for you, or is the config option still needed? In my opinion the config option will add more code just for this single case, while the ssh port forwarding seems to be the cleaner solution anyways. |
|
The option could be a good thing. SSH port tunnel involves addin ssh keys in the router for all pc-s in the network |
|
But can you make Fortinet redirect your browser to the router's IP? I thought the loopback address was hardcoded. |
I have the code ready on Rainer-Keller@5a3e680. |
This pull request is based on #1219, but has everything unrelated to SAML removed and all the review issues fixed.