This is a program that performs a WebAuthn flow against a GlobalProtect VPN endpoint utilizing Okta and a FIDO2 authenticator (e.g. a Yubikey), starts OpenConnect, and then passes the pre-login cookie obtained. It contains as few dependencies as possible.
I know very little about WebAuthn and FIDO2, and this program hasn’t been audited. Please use at your own risk. Still, it works for me.
I have very little free time and can’t field any support requests.
$ openconnect-gp-okta -username elliot -password-command 'echo tyEsmail' -device-pin 1234 -vpn-endpoint myvpn.example.org -openconnect-args='--reconnect-timeout --csd-wrapper=/run/current-system/profile/libexec/hipreport.sh'
Please note that the values here are made up and you should populate them with values specific to your situation.
If you’re running Guix, you can run guix build -fpackage.scm. If you’re not, you can use standard Go tooling:
CGO_LDFLAGS="-L/usr/lib" CGO_CFLAGS="-I/usr/include" go install github.com/kat-co/openconnect-gp-okta@latest
PRs are welcome, but I may not look at them for a long, long, time. I apologize in advance.