Webview for SAML does not allow Duo to use a Yubikey

Upon more research it seems there is alot more wrong here than the misleading message from Duo.

GTK Webkit completely lacks support for webauthn, so it is pointless to think about anything at the network-manager-openconnect level. This means this will not support security tokens for VPN login.

Can we take this to https://gitlab.com/openconnect/openconnect/-/issues please?

I think you want to enable the "external browser" support which we added in OpenConnect 9.01.

cf. https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/vpn/asa-97-vpn-config/webvpn-configure-users.html#topic_3D9C418D1A6D489FBC88F760215AFD26

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect410/release/notes/release-notes-anyconnect-4-10.html#Cisco_Reference.dita_07f4a7eb-b660-4a09-844c-c3ed481aebc0

I don't think this is an openconnect issue? Or are you handling network manager issues there too? I see the Ubuntu patch was merged upstream since this was opened?

"External browser" would be nice, but IT says we can't turn it on, needs some upgrade, and CISCO says not to use it:

 The saml external-browser command is for migration purposes for those upgrading to AnyConnect 4.6
 or later. Because of security limitations, use this solution only as part of a temporary migration
 while upgrading AnyConnect software. The command itself will be depreciated in the future.

Since the latest Anyconnect client on Windows got the integrated browser upgraded to Edge and now supports all security key flows I'm not optimistic our deployment will ever enable it.

So what we really want to see is something like network-manager-openconnect that can support webauthn, with CTAP2 support, but that seems alarmingly hard :(

NetworkManager-openconnect issues would be at https://gitlab.gnome.org/GNOME/NetworkManager-openconnect but most of the hard thinking ends up on the openconnect side.

So what is the best solution here? The external browser mode is useful because we get the fully features of Chrome/Firefox and then the resulting SSO token is encrypted and passed back to the VPN client. But that HPKE encryption and the connection back over http://localhost:29786/ is kind of awful.

The embedded browser mode avoids that because we are in control, and we can see the token directly as we're running the browser within our own NM-openconnect authentication GUI process. But obviously doesn't work for the openconnect CLI, as the external-browser mode does.

Should we (can we) implement a Firefox/Chrome plugin to exfiltrate cookies, which might give us a way to do this "embedded mode" with a *real* browser? Or should we just go and implement webauthn/CTAP2 support in WebKit?