README taken with slight modifications from the network-manager-openconnect auth dialog AnyConnect works over HTTPS; authentication is through HTTP forms and POST responses. Once you've filled in the forms that the server demands, you're rewarded with an HTTP cookie which is handed on to OpenConnect to actually make the connection. The auth-dialog handles the arbitrary forms as the server presents them, and spits out the cookie after a successful authentication. It's just a really simple web-browser, effectively. (It has its own HTTP client implementation instead of using libsoup because it needs to be able to support certificates from a TPM, and to work around Cisco bugs). To make it slightly more fun, you have a *choice* of servers; an AnyConnect VPN is provisioned with an XML file that gives various pieces of configuration for the client. We ignore most of the XML file, except the list of available VPN server addresses. So this is a brief flow of what the auth-dialog does... 1. Choose a server to connect to. If we already have the XML configuration file for this VPN, you get to choose a server from the list. Otherwise, you only have the host that you configured in the VPN setup. The auth-dialog will give you the choice of automatically connecting to the last server you used. It does so by storing the boolean 'autoconnect' option, as well as the address of the last successful server, in "secrets" that NetworkManager stores for it, but which aren't actually used by OpenConnect itself at all. 2. Offer your SSL certificate and fill in all the forms it presents. The server will present a sequence of forms which are filled in just like normal web forms. At this point, the auth-dialog is just acting like a really simple web browser. It uses the same trick with fake secrets to remember the answers for any multiple-choice selection, or input elements of type 'text'. Input elements of type 'password' are not currently saved, but probably should be. The choices and input boxes that we fill in at this point may not be limited to *just* authenticating ourselves. You may also get to make choices which affect your resulting connectivity. Some networks offer the choice of full-tunnel or split-tunnel routing, IPv6 or Legacy-only connectivity, etc. (The routing configuration is not handled by the auth-dialog; that just manifests itself in the IP configuration which is given to OpenConnect by the server, much later when the connection is actually made.) ( 2½. Run the "Cisco Secure Desktop"[sic] trojan. In some cases you are required to download a strange executable from the server and run it. It is supposed to perform various "checks" on your system and report its results to the server. The authentication sequence is kept in a holding pattern with HTTP refresh responses until the "trojan" has done its job. Most people seem to bypass this crap and run a local tool of their own devising to report the "correct" results. It's just another simple HTTP POST, although the exact results that are expected may vary from one server/configuration to another. Try not to think about it. It will only make you sad. ) 3. Note the 'webvpn' cookie. Once authentication is complete, the server's HTTP response will include a 'webvpn' cookie. This cookie is one of the three *real* secrets which are actually passed to OpenConnect to make the connection. The other two are the address of the server we finally ended up talking to (after the user's initial choice and any HTTP redirects), and a hash of the server's SSL certificate (to prevent MiTM attacks). 4. Check the XML configuration file. With a successful authentication, we are *also* given the SHA1 of the current XML configuration for this VPN connection. If it differs from what we have, we are expected to fetch the new one. We store this, base64-encoded, in yet another fake "secret". 5. Dump all the "secrets" to NetworkManager. Finally, we write the secrets into the setting, so that NM can use them.