OpenConnect Server with SAML Authentication
Posted on
Like many orgs, my employer had a sudden and dramatic increase in the number of people working remotely as a result of the Covid-19 pandemic. This exceeded the capacity of our Cisco Anyconnect headends in a few places, and procuring larger hardware in many locations proved difficult as supply chains apparently unravelled. I needed to increase vpn capacity, and fast, ideally without shocking my userbase with a dramatically different user experience.
The Openconnect project have a VPN server that is compatible with Cisco Anyconnect clients, but it does not support SAML2 authentication. Our Cisco gear is configured to use SAML against Azure AD so that Conditional Access policies can be applied, including MFA. Given the sharp rise in observed credential stuffing attacks at the time, backing off on the MFA requirement was not an option.
So, I forked ocserv and implemented SAML authentication.
Not only that, I rolled this into a Docker container so that my sysadmins could deploy it quickly and easily. I’m throwing this out to the internet with the hope that others may also find it useful. I’ll be preparing a pull request to offer my changes to upstream ocserv once my life calms down a bit.
If you want to use this, the easiest way to deploy it is with the docker container available here:
Or if you prefer, you can build it from my fork on gitlab:
Pull requests, issues, and of course, offers of wine are welcome. I hope this helps someone.