SAML support?

[DimitriPapadopoulos]

In addition to / instead of supporting to the --cookie option (#173), wouldn't it make sense to add support for SAML (as discussed in adrienverge/openfortivpn#867, adrienverge/openfortivpn#1034, adrienverge/openfortivpn#1042), starting a browser with Qt to get the VPN session cookie?

[boospy]

SAML is old school. Keycloak would be the new one.

https://www.keycloak.org/

https://www.univention.de/produkte/app-katalog/keycloak/

[DimitriPapadopoulos]

@Boopsy Does the FortiGate support Keycloack differently from SAML?

• Technical Tip: SAML SSO - Configuration with Keycloak
• Fortigate: SAML authentication in firewall policy with Keycloak

I don't know what Keycloack means on the client side, can you enlighten me?

[ssorgatem]

My company is now changing to SAML sso so support for SAML would hbe greatly appreaciated

[filippor]

For external browser I implemented a script to retrieve token on repository https://github.com/filippor/XdgOpenSaml
the process is
1 start a server to listen on localhost:8020/?id=
2 open in external browser url + "/remote/saml/start?redirect=1"
3 server receive a call and with retieved id call url + "/remote/saml/auth_id?id=" + id to retrieve cookie

you can see a sample implementation in this repo https://github.com/filippor/XdgOpenSaml/blob/main/XdgOpenSaml.java that write the cookie to standard out like openfortivpn-webview

XdgOpenSaml url:port | sudo openfortivpn url:port --cookie-on-stdin --pppd-use-peerdns=

[aseques]

Since version 1.23.0 openfortivpn has a mechanism to deal with SAML authentication integrated, see the changelog here