NetworkManager-openconnect SSO (MFA) not working

Hello guys,
I have run into issue while trying to connect to vpn in work. The connection was working well before, unfortunately I can’t sort out when or after which changes the issue started.

Issue is with networkmanager-openconnect while I try to connect to cisco anyconnect with MFA where I need to obtain QR code for SSO.
But unfortunately I always receive error code 404.
Install anyconnect is working, and even a solution with openconnect-sso is working, but unfortunately I got really like the networkmanager gui.

system info and packages

  • os: fedora39
  • kernel: 6.7.9-200.fc39.x86_64
  • libs: NetworkManager-openconnect-gnome.x86_64 1.2.10-2.fc39
  • libs: webkit2gtk4.0.x86_64 2.44.0-2.fc39 @updates
  • libs: webkit2gtk4.1.x86_64 2.44.0-2.fc39 @updates
  • libs: webkitgtk6.0.x86_64 2.42.1-1.fc39

log:

POST https://vpn..com/
Attempting to connect to server :443
Connected to :443
SSL negotiation with <vpn.host.com>
Connected to HTTPS on <vpn.host.com> with ciphersuite (TLS1.2)-(ECDHE-X25519)-(RSA-SHA256)-(AES-256-GCM)
Got HTTP response: HTTP/1.1 404 Not Found
Cache-Control: no-store
Pragma: no-cache
Connection: Close
Date: Thu, 04 Apr 2024 22:03:03 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’ data: blob:; frame-ancestors ‘self’; base-uri ‘self’; block-all-mixed-content
HTTP body http 1.0 (-1)
TLS/DTLS socket closed uncleanly
Unexpected 404 result from server
GET https://<vpn.host.com>/
Attempting to connect to server :443
Connected to :443
SSL negotiation with <vpn.host.com>
Connected to HTTPS on <vpn.host.com> with ciphersuite (TLS1.2)-(ECDHE-X25519)-(RSA-SHA256)-(AES-256-GCM)
Got HTTP response: HTTP/1.0 302 Object Moved
Content-Type: text/html; charset=utf-8
Content-Length: 0
Cache-Control: no-store
Pragma: no-cache
Connection: Close
Date: Thu, 04 Apr 2024 22:03:03 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’ data: blob:; frame-ancestors ‘self’; base-uri ‘self’; block-all-mixed-content
Location: /+webvpn+/index.html
Set-Cookie: tg=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
HTTP body length: (0)
GET https://<vpn.host.com>/+webvpn+/index.html
SSL negotiation with <vpn.host.com>
Connected to HTTPS on <vpn.host.com> with ciphersuite (TLS1.2)-(ECDHE-X25519)-(RSA-SHA256)-(AES-256-GCM)
Got HTTP response: HTTP/1.1 200 OK
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’ data: blob:; frame-ancestors ‘self’; base-uri ‘self’; block-all-mixed-content
X-Frame-Options: SAMEORIGIN
Transfer-Encoding: chunked
Content-Type: text/xml; charset=utf-8
Cache-Control: no-store
Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpn_as=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnlogin=1; secure
X-Transcend-Version: 1
HTTP body chunked (-2)

This works for me (archlinux, popos). Issues with lxml and python keyring in the older ver.

Rough steps


git clone https://github.com/Bidski/openconnect-sso
cd openconnect-sso
make dist
cd dist
pipx install *.whl