OpenConnect wrapper with Azure AD / SAML SSO support for Cisco AnyConnect VPNs.
Drives the SAML/SSO authentication flow against Cisco AnyConnect
gateways and hands the resulting cookie to openconnect. Supports
Azure AD, ADFS, and most enterprise IdPs out of the box; works with
Yubikey / Nitrokey hardware keys, Duo, Microsoft Authenticator, and
TOTP from your password manager.
Maintained fork of vlaci/openconnect-sso,
combining work from kowyo/openconnect-lite.
pip install "openconnect-saml[gui]" # Qt browser
pip install "openconnect-saml[chrome]" # Chromium / Playwright
pip install openconnect-saml # Headless onlyArch: yay -S openconnect-saml. Requires Python ≥ 3.10 and
openconnect in $PATH. See
docs/installation.md for Docker, build
from source, and system-deps per distro.
# Interactive setup — server, username, TOTP, browser, auto-reconnect
openconnect-saml setup
# Connect to a saved profile
openconnect-saml connect work
# Or one-shot, no profile
openconnect-saml --server vpn.example.com --user user@example.comHeadless (servers, containers, CI):
openconnect-saml --server vpn.example.com --headless --user user@example.com- Three browser backends — Qt6 WebEngine, Chromium via Playwright,
or full headless. Hardware-key WebAuthn works in
--browser chromeout of the box. With--chrome-channel chrome|msedgePlaywright uses your system-installed Chrome / Edge instead of downloading its own bundled Chromium. See docs/browsers.md. - Seven TOTP providers — local keyring,
2FAuth, Bitwarden, 1Password, pass,
KeePassXC, plus
prompt(type the 6-digit code from your phone every connect, store nothing), or--no-totpto skip entirely. See docs/authentication.md. - Microsoft Entra (Azure AD) scripted in headless mode —
username + password + TOTP fully driven via HTTPS. Federated
tenants get an experimental ADFS / WS-Trust 2005 path; non-scriptable
flows (FIDO2-only, push-MFA) surface a clear error pointing at
--browser chrome. --auth-script PATHescape hatch for IdPs the built-in flow can't drive (in-house SSO, custom MFA). Your script gets the SSO endpoint + username on argv, password on stdin, prints the cookie to stdout. Thanks @derkarnold.- Multi-profile — save / list / rename / export / import named
VPN configs. Includes export to NetworkManager's
.nmconnectionformat for the Ubuntu / GNOME VPN UI. See docs/profiles.md. - Auto-reconnect with exponential back-off, optional cap.
operations.md - Kill-switch — iptables-based, session or persistent, with
DNS / LAN allow-listing.
networking.md - systemd integration — install a per-server unit;
service start/stop/status/logs.operations.md - Connection history & stats — JSONL audit log, aggregated
summaries (
history stats), JSON output for monitoring.operations.md - Diagnostics —
doctorchecks Python / openconnect / sudo / TUN / dependencies / keyring / DNS / TLS / SAML endpoint.diagnostics.md
The docs/ directory has a topic-per-file reference. Start with docs/README.md for the index.
| Topic | Where |
|---|---|
| Installation, Docker, system deps | docs/installation.md |
| Browser backends + minimal GUI | docs/browsers.md |
| TOTP providers + FIDO2 + credentials | docs/authentication.md |
| Profiles + NetworkManager export | docs/profiles.md |
| Split-tunnel + kill-switch + proxy | docs/networking.md |
| Reconnect, systemd, status, history | docs/operations.md |
Config file + setup + config subcommand |
docs/configuration.md |
doctor, troubleshooting, exit codes |
docs/diagnostics.md |
| Full CLI reference (every flag) | docs/cli-reference.md |
| Contributor setup + release flow | docs/development.md |
Migrating from openconnect-sso |
docs/migration.md |
| Resource | URL |
|---|---|
| PyPI | https://pypi.org/project/openconnect-saml/ |
| AUR | https://aur.archlinux.org/packages/openconnect-saml |
| Releases | https://github.com/mschabhuettl/openconnect-saml/releases |
| Issues | https://github.com/mschabhuettl/openconnect-saml/issues |
| Changelog | CHANGELOG.md |
| License | GPL-3.0 |
Upstream / origin
- László Vaskó (vlaci) — original
openconnect-sso - Kowyo —
openconnect-litemodernization
Recent contributors
- @derkarnold —
--auth-scriptpluggable authentication (#29, v0.23.0) - @salty-flower — root-cause diagnosis of the PyQt 6.11 WebAuthn slot-signature crash (#24, v0.21.0)
- @kobuki —
--no-cert-check/ self-signed gateway report driving the v0.22.0 + v0.22.2 cert fixes and the console-only Microsoft Entra path in v0.22.4 (#19) - @OmarHawk —
--allowed-hostswhitelist proposal (#11, v0.20.0),--useragent(#12, v0.7.0), openconnect passthrough (#13, v0.7.0), MFA discussion that shaped the chrome / qt / headless three-way split (#17) - @BBKmsZrd — Yubikey / Nitrokey hardware-token reports + iterative debug-log triage (#21, #24)
- @cnekmp —
sso-v2-loginparser regression report driving the namespaced-fields + form fallback (#20, v0.8.1) - @mdesantis — minimal GUI proposal
- NetworkManager
.nmconnectionexport request (#22, v0.8.x)
- NetworkManager
Everyone else who's filed an issue, tested a release candidate, or pasted a debug log — thank you. See the full contributors graph.