OpenConnect wrapper with Azure AD (SAML) SSO support for Cisco SSL-VPNs

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for mschabhuettl from gravatar.com mschabhuettl

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: GPL-3.0-or-later
    SPDX License Expression
  • Author: Matthias Schabhüttl
  • Tags azure-ad , cisco , openconnect , saml , sso , vpn
  • Requires: Python >=3.10
  • Provides-Extra: chrome , dev , fido2 , gui
Classifiers
Report project as malware

Project description

🔐 openconnect-saml

OpenConnect wrapper with Azure AD / SAML authentication for Cisco AnyConnect VPNs

PyPI AUR CI License Python

Maintained fork of vlaci/openconnect-sso with improvements from kowyo/openconnect-lite

✨ Features

Feature Description
🖥️ GUI Mode Embedded Qt6 WebEngine browser with auto-fill
🌐 Chrome Browser Playwright-based Chromium backend — headless or visible
🤖 Headless Mode No display needed — works on servers, containers, SSH
🔑 Auto-Login Username, password, and TOTP auto-injection
🔒 Keyring Credentials stored securely (with in-memory fallback)
📱 MFA Support TOTP, Microsoft Authenticator number matching
🔐 FIDO2/YubiKey Hardware security key support for WebAuthn challenges
🛡️ Security XXE protection, no credential logging, safe config permissions
🔄 Auto-Reconnect Automatic re-authentication and reconnection on VPN drops
⚙️ Systemd Service Install as a persistent system service with one command
🌐 Proxy SOCKS and HTTP proxy support
📜 Certificates Client certificate handling with auto-fallback
🐳 Docker-ready Headless mode for containerized deployments

📦 Installation

# Headless (no GUI dependencies)
pip install openconnect-saml

# With GUI browser (Qt6 WebEngine)
pip install "openconnect-saml[gui]"

# With Chrome/Chromium browser (Playwright)
pip install "openconnect-saml[chrome]"
playwright install chromium

# With FIDO2/YubiKey support
pip install "openconnect-saml[fido2]"

# Arch Linux (AUR)
yay -S openconnect-saml

Requires: Python ≥ 3.10 and OpenConnect in PATH

🚀 Quick Start

# GUI mode (default)
openconnect-saml --server vpn.example.com --user user@domain.com

# Headless mode (servers, containers, SSH)
openconnect-saml --server vpn.example.com --user user@domain.com --headless

📖 Usage

GUI Mode

openconnect-saml --server vpn.example.com
openconnect-saml --server vpn.example.com/usergroup
openconnect-saml --profile /opt/cisco/anyconnect/profile

Headless Mode

No display server required — perfect for servers, CI/CD, and containers:

# Auto-authenticate with saved credentials
openconnect-saml --server vpn.example.com --headless --user user@example.com

# Output auth cookie for scripting
openconnect-saml --server vpn.example.com --headless --authenticate json

How it works:

  1. Auto: HTTP requests + form parsing → submits credentials without a browser
  2. Fallback: If auto-auth fails (CAPTCHA, unsupported MFA) → prints URL + starts local callback server → authenticate in any browser

Chrome/Chromium Browser

Use Playwright-based Chromium instead of Qt WebEngine:

# Visible Chrome window
openconnect-saml --server vpn.example.com --browser chrome

# Headless Chrome (no display needed)
openconnect-saml --server vpn.example.com --browser headless

Auto-Reconnect

Keep the VPN alive — automatically re-authenticates and reconnects on drops:

# Unlimited retries with backoff (30s, 60s, 120s, 300s)
openconnect-saml --server vpn.example.com --headless --reconnect

# Limit to 5 reconnection attempts
openconnect-saml --server vpn.example.com --headless --reconnect --max-retries 5

Systemd Service

Install as a persistent system service:

# Install and enable
sudo openconnect-saml service install --server vpn.example.com --user user@domain.com

# Manage
sudo openconnect-saml service start --server vpn.example.com
sudo openconnect-saml service stop --server vpn.example.com
openconnect-saml service status
openconnect-saml service logs --server vpn.example.com

# Remove
sudo openconnect-saml service uninstall --server vpn.example.com

FIDO2/YubiKey

Hardware security key support for WebAuthn challenges during SAML authentication:

# FIDO2 is detected automatically during auth flows
# When a WebAuthn challenge is encountered:
# → Terminal prompt: "Touch your security key..."
# → PIN prompt if required
pip install "openconnect-saml[fido2]"

Advanced Options

--headless              # No browser, terminal-only authentication
--browser BACKEND       # Browser backend: qt, chrome, headless
--reconnect             # Auto-reconnect on VPN drops
--max-retries N         # Max reconnection attempts (default: unlimited)
--no-sudo               # Don't use sudo (for --script-tun)
--ssl-legacy            # Enable legacy SSL renegotiation
--csd-wrapper PATH      # CSD/hostscan wrapper script
--timeout SECONDS       # HTTP timeout (default: 30)
--window-size WxH       # Browser window size (default: 800x600)
--on-connect CMD        # Run command after VPN connects
--on-disconnect CMD     # Run command after VPN disconnects
--reset-credentials     # Clear saved keyring entries
--authenticate FORMAT   # Auth only, output cookie (json|shell)

🐳 Docker

FROM python:3.12-slim
RUN pip install openconnect-saml && \
    apt-get update && apt-get install -y openconnect && rm -rf /var/lib/apt/lists/*
ENTRYPOINT ["openconnect-saml", "--headless"]

docker run -it --cap-add=NET_ADMIN --device=/dev/net/tun \
  vpn-client --server vpn.example.com --user user@example.com

⚙️ Configuration

Config file: ~/.config/openconnect-saml/config.toml

[default_profile]
server = "vpn.example.com"
user_group = ""
name = "My VPN"

[credentials]
username = "user@example.com"
Auto-fill Rules

Custom rules per URL pattern:

[[auto_fill_rules."https://*"]]
selector = "input[type=email]"
fill = "username"

[[auto_fill_rules."https://*"]]
selector = "input[name=passwd]"
fill = "password"

[[auto_fill_rules."https://*"]]
selector = "input[id=idTxtBx_SAOTCC_OTC]"
fill = "totp"
TOTP Configuration

For automated TOTP, add your secret to the config:

[credentials]
username = "user@example.com"
# TOTP secret is stored in keyring on first use
# Or set via: openconnect-saml --user user@example.com (prompts for secret)

To clear stored credentials:

openconnect-saml --user user@example.com --reset-credentials

🔄 Migrating from openconnect-sso

# Replace openconnect-sso with openconnect-saml
pip uninstall openconnect-sso
pip install openconnect-saml

# Rename config directory
mv ~/.config/openconnect-sso ~/.config/openconnect-saml

# Same CLI, new name
openconnect-saml --server vpn.example.com

🛠️ Development

git clone https://github.com/mschabhuettl/openconnect-saml
cd openconnect-saml
pip install -e ".[dev]"
pytest -v
ruff check .

🙏 Credits

📄 License

GPL-3.0

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for mschabhuettl from gravatar.com mschabhuettl

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: GPL-3.0-or-later
    SPDX License Expression
  • Author: Matthias Schabhüttl
  • Tags azure-ad , cisco , openconnect , saml , sso , vpn
  • Requires: Python >=3.10
  • Provides-Extra: chrome , dev , fido2 , gui
Classifiers

Release history Release notifications | RSS feed

0.7.1

0.7.0

0.6.1

0.6.0

0.5.0

0.4.0

This version

0.3.0

0.2.0

0.1.1

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

openconnect_saml-0.3.0.tar.gz (63.6 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

openconnect_saml-0.3.0-py3-none-any.whl (50.7 kB view details)

Uploaded Python 3

File details

Details for the file openconnect_saml-0.3.0.tar.gz.

File metadata

  • Download URL: openconnect_saml-0.3.0.tar.gz
  • Upload date:
  • Size: 63.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for openconnect_saml-0.3.0.tar.gz
Algorithm Hash digest
SHA256 f2b24c9c2b3f841e976271ac0925dd2ce5c1018e9b22d1840bf0ed4cb6c72682
MD5 c8b42e663c85fcd490239c16bcdbaf8c
BLAKE2b-256 03a6768743023d2bc3cebfa201019e03ba9d47295a1e95d68eb7bb86b9058502

See more details on using hashes here.

Provenance

The following attestation bundles were made for openconnect_saml-0.3.0.tar.gz:

Publisher: publish.yml on mschabhuettl/openconnect-saml

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file openconnect_saml-0.3.0-py3-none-any.whl.

File metadata

File hashes

Hashes for openconnect_saml-0.3.0-py3-none-any.whl
Algorithm Hash digest
SHA256 ebbb1cf7c89b5542610b4fc2daef9f03bd711d82e2a8dd0c45f1d2b08c942a0d
MD5 9104d5b774ecb2b64ad03a14b3e5e5f8
BLAKE2b-256 26d0a94f2ebf7028af7d08ca41efc803ab29a39ad911670520ef833bbbb95c50

See more details on using hashes here.

Provenance

The following attestation bundles were made for openconnect_saml-0.3.0-py3-none-any.whl:

Publisher: publish.yml on mschabhuettl/openconnect-saml

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page