openconnect-saml 0.13.0

OpenConnect wrapper with Azure AD (SAML) SSO support for Cisco SSL-VPNs

openconnect-saml

OpenConnect wrapper with Azure AD / SAML SSO support for Cisco AnyConnect VPNs.

Drives the SAML/SSO authentication flow against Cisco AnyConnect gateways and hands the resulting cookie to openconnect. Supports Azure AD, ADFS, and most enterprise IdPs out of the box; works with Yubikey / Nitrokey hardware keys, Duo, Microsoft Authenticator, and TOTP from your password manager.

Maintained fork of vlaci/openconnect-sso, combining work from kowyo/openconnect-lite.

Install

pip install "openconnect-saml[gui]"        # Qt browser
pip install "openconnect-saml[chrome]"     # Chromium / Playwright
pip install  openconnect-saml              # Headless only

Arch: yay -S openconnect-saml. Requires Python ≥ 3.10 and openconnect in $PATH. See docs/installation.md for Docker, build from source, and system-deps per distro.

Quick start

# Interactive setup — server, username, TOTP, browser, auto-reconnect
openconnect-saml setup

# Connect to a saved profile
openconnect-saml connect work

# Or one-shot, no profile
openconnect-saml --server vpn.example.com --user user@example.com

Headless (servers, containers, CI):

openconnect-saml --server vpn.example.com --headless --user user@example.com

Features

• Three browser backends — Qt6 WebEngine, Chromium via Playwright, or full headless. Hardware-key WebAuthn works in all three. See docs/browsers.md.
• Five TOTP providers — local keyring, 2FAuth, Bitwarden, 1Password, pass — or --no-totp to skip the prompt. See docs/authentication.md.
• Multi-profile — save / list / rename / export / import named VPN configs. Includes export to NetworkManager's .nmconnection format for the Ubuntu / GNOME VPN UI. See docs/profiles.md.
• Auto-reconnect with exponential back-off, optional cap. operations.md
• Kill-switch — iptables-based, session or persistent, with DNS / LAN allow-listing. networking.md
• systemd integration — install a per-server unit; service start / stop / status / logs. operations.md
• Connection history & stats — JSONL audit log, aggregated summaries (history stats), JSON output for monitoring. operations.md
• Diagnostics — doctor checks Python / openconnect / sudo / TUN / dependencies / keyring / DNS / TLS / SAML endpoint. diagnostics.md

Documentation

The docs/ directory has a topic-per-file reference. Start with docs/README.md for the index.

Topic	Where
Installation, Docker, system deps	docs/installation.md
Browser backends + minimal GUI	docs/browsers.md
TOTP providers + FIDO2 + credentials	docs/authentication.md
Profiles + NetworkManager export	docs/profiles.md
Split-tunnel + kill-switch + proxy	docs/networking.md
Reconnect, systemd, status, history	docs/operations.md
Config file + setup + config subcommand	docs/configuration.md
doctor, troubleshooting, exit codes	docs/diagnostics.md
Full CLI reference (every flag)	docs/cli-reference.md
Contributor setup + release flow	docs/development.md
Migrating from openconnect-sso	docs/migration.md

Links

Resource	URL
PyPI	https://pypi.org/project/openconnect-saml/
AUR	https://aur.archlinux.org/packages/openconnect-saml
Releases	https://github.com/mschabhuettl/openconnect-saml/releases
Issues	https://github.com/mschabhuettl/openconnect-saml/issues
Changelog	CHANGELOG.md
License	GPL-3.0

Credits

• László Vaskó (vlaci) — original openconnect-sso
• Kowyo — openconnect-lite modernization
• Community contributors for issues, PRs, and testing

---