Skip to content

mschabhuettl/openconnect-saml

Repository files navigation

openconnect-saml

OpenConnect wrapper with Azure AD / SAML SSO support for Cisco AnyConnect VPNs.

CI PyPI AUR Python License

Drives the SAML/SSO authentication flow against Cisco AnyConnect gateways and hands the resulting cookie to openconnect. Supports Azure AD, ADFS, and most enterprise IdPs out of the box; works with Yubikey / Nitrokey hardware keys, Duo, Microsoft Authenticator, and TOTP from your password manager.

Maintained fork of vlaci/openconnect-sso, combining work from kowyo/openconnect-lite.

Install

pip install "openconnect-saml[gui]"        # Qt browser
pip install "openconnect-saml[chrome]"     # Chromium / Playwright
pip install  openconnect-saml              # Headless only

Arch: yay -S openconnect-saml. Requires Python ≥ 3.10 and openconnect in $PATH. See docs/installation.md for Docker, build from source, and system-deps per distro.

Quick start

# Interactive setup — server, username, TOTP, browser, auto-reconnect
openconnect-saml setup

# Connect to a saved profile
openconnect-saml connect work

# Or one-shot, no profile
openconnect-saml --server vpn.example.com --user user@example.com

Headless (servers, containers, CI):

openconnect-saml --server vpn.example.com --headless --user user@example.com

Features

  • Three browser backends — Qt6 WebEngine, Chromium via Playwright, or full headless. Hardware-key WebAuthn works in --browser chrome out of the box. With --chrome-channel chrome|msedge Playwright uses your system-installed Chrome / Edge instead of downloading its own bundled Chromium. See docs/browsers.md.
  • Seven TOTP providers — local keyring, 2FAuth, Bitwarden, 1Password, pass, KeePassXC, plus prompt (type the 6-digit code from your phone every connect, store nothing), or --no-totp to skip entirely. See docs/authentication.md.
  • Microsoft Entra (Azure AD) scripted in headless mode — username + password + TOTP fully driven via HTTPS. Federated tenants get an experimental ADFS / WS-Trust 2005 path; non-scriptable flows (FIDO2-only, push-MFA) surface a clear error pointing at --browser chrome.
  • --auth-script PATH escape hatch for IdPs the built-in flow can't drive (in-house SSO, custom MFA). Your script gets the SSO endpoint + username on argv, password on stdin, prints the cookie to stdout. Thanks @derkarnold.
  • Multi-profile — save / list / rename / export / import named VPN configs. Includes export to NetworkManager's .nmconnection format for the Ubuntu / GNOME VPN UI. See docs/profiles.md.
  • Auto-reconnect with exponential back-off, optional cap. operations.md
  • Kill-switch — iptables-based, session or persistent, with DNS / LAN allow-listing. networking.md
  • systemd integration — install a per-server unit; service start / stop / status / logs. operations.md
  • Connection history & stats — JSONL audit log, aggregated summaries (history stats), JSON output for monitoring. operations.md
  • Diagnosticsdoctor checks Python / openconnect / sudo / TUN / dependencies / keyring / DNS / TLS / SAML endpoint. diagnostics.md

Documentation

The docs/ directory has a topic-per-file reference. Start with docs/README.md for the index.

Topic Where
Installation, Docker, system deps docs/installation.md
Browser backends + minimal GUI docs/browsers.md
TOTP providers + FIDO2 + credentials docs/authentication.md
Profiles + NetworkManager export docs/profiles.md
Split-tunnel + kill-switch + proxy docs/networking.md
Reconnect, systemd, status, history docs/operations.md
Config file + setup + config subcommand docs/configuration.md
doctor, troubleshooting, exit codes docs/diagnostics.md
Full CLI reference (every flag) docs/cli-reference.md
Contributor setup + release flow docs/development.md
Migrating from openconnect-sso docs/migration.md

Links

Resource URL
PyPI https://pypi.org/project/openconnect-saml/
AUR https://aur.archlinux.org/packages/openconnect-saml
Releases https://github.com/mschabhuettl/openconnect-saml/releases
Issues https://github.com/mschabhuettl/openconnect-saml/issues
Changelog CHANGELOG.md
License GPL-3.0

Credits

Upstream / origin

Recent contributors

  • @derkarnold--auth-script pluggable authentication (#29, v0.23.0)
  • @salty-flower — root-cause diagnosis of the PyQt 6.11 WebAuthn slot-signature crash (#24, v0.21.0)
  • @kobuki--no-cert-check / self-signed gateway report driving the v0.22.0 + v0.22.2 cert fixes and the console-only Microsoft Entra path in v0.22.4 (#19)
  • @OmarHawk--allowed-hosts whitelist proposal (#11, v0.20.0), --useragent (#12, v0.7.0), openconnect passthrough (#13, v0.7.0), MFA discussion that shaped the chrome / qt / headless three-way split (#17)
  • @BBKmsZrd — Yubikey / Nitrokey hardware-token reports + iterative debug-log triage (#21, #24)
  • @cnekmpsso-v2-login parser regression report driving the namespaced-fields + form fallback (#20, v0.8.1)
  • @mdesantis — minimal GUI proposal
    • NetworkManager .nmconnection export request (#22, v0.8.x)

Everyone else who's filed an issue, tested a release candidate, or pasted a debug log — thank you. See the full contributors graph.


Buy Me a Coffee

About

OpenConnect wrapper with Azure AD (SAML) SSO support for Cisco SSL-VPNs

Resources

License

Code of conduct

Contributing

Stars

23 stars

Watchers

0 watching

Forks

Packages

 
 
 

Contributors

Languages