SSO/SAML-based VPN's

Thu Sep 19 08:51:02 UTC 2024

On 19 September 2024 10:40:15 CEST, David Woodhouse <dwmw2 at infradead.org> wrote:
>On 18 September 2024 18:56:29 CEST, Michael Butash <michael at butash.net> wrote:
>>Hi all,
>>
>>I was doing some various digging through lists and finding little, but was
>>curious about the general project state and stance toward SAML-based VPN's
>>from various security vendors. There doesn't seem to be any built-in
>>methods to handle this in the major VPN plugins or the parents still.
>>
>>I ask as I've been working mostly with enterprise vendors for a long time,
>>pan, fortinet, usual names, and most all have SSO-based methods now that
>>utilize saml/oauth function, none really seem supported aside from some
>>external projects like openconnect-sso. Currently I'm working on a project
>>for a customer reviewing various vendors using OpenVPN particularly, but
>>the desire is to use SAML. Each vendor does support SAML, but with a
>>hacked-in client support for SAML integrations, and only *sometimes* under
>>Linux. This includes Aviatrix, Amazon AWS SSLVPN product (no linux client,
>>go figure), and OpenVPN themselves for their commercial product.
>>
>>It seems at this point in modern times all NM plugins for any/all
>>proprietary/open VPN's probably need to support SAML as a method in
>>general, but where should this start really, in network-manager base, or in
>>VPN plugins alone?
>>
>>Is there *any* general plan or discussion to include SSO/SAML functionality
>>at all in NM or various plugins for VPN features? We're back to relying on
>>every vendor for themselves to make SSO work in linux, and that rather
>>sucks as most can't keep their clients working for long and slow to
>>update/fix.
>>
>>Thanks in advance!
>>
>>-mb
>
>Hm? NetworkManager-openconnect supports SAML and I use it daily...
>
>The KDE Plasma5 authenticator GUI is still lacking the functionality, I believe, but that's a separate issue.

Forgot to mention: I'm using it with a Cisco AnyConnect service but I believe it should also work for Fortinet and Pan (which you mentioned, and which OpenConnect also supports).