--- name: lemana-vpn-sso-autofill description: Use when touching Lemana VPN Bitwarden, Keychain, TOTP, openconnect-lite runtime patches, Keycloak SSO, auto-fill, manual mode, hidden browser mode, or authentication troubleshooting. --- # Lemana VPN SSO And Autofill ## Overview The connection path is: Bitwarden or existing Keychain -> `openconnect-lite` credentials -> patched Keycloak browser flow -> Cisco/openconnect tunnel -> status JSON/logs/DNS cleanup. Be precise about which credential source is active. ## Credential Flow With Bitwarden enabled, `bin/vpn-lemanapro.sh` unlocks `bw`, reads item `LM LDAP`, extracts LDAP password and permanent TOTP seed, then writes both to macOS Keychain for `openconnect-lite`. Without Bitwarden, connection can still work if Keychain already has: - service `openconnect-lite`, account `` for the LDAP password; - service `openconnect-lite`, account `totp/` for the permanent TOTP seed. The Bitwarden master password unlocks the vault. It is not the corporate LDAP password. The TOTP seed is not the current 6-digit authenticator code. If a GUI/no-tty path has incomplete Keychain credentials, do not invent an invisible prompt. Tell the user to run: ```sh vpn --configure-keychain ``` ## Runtime Patches `vpn-lemanapro.sh` patches `openconnect-lite` before connection. The expected behavior includes: - Qt hidden browser mode uses `offscreen`, not `minimal`. - Keycloak fields keep direct `elem.value = ...`, plus `input` and `change` DOM events. - Autofill stays in `ApplicationWorld`; do not reintroduce `MainWorld`, native setters, or stateful click guards unless there is fresh evidence. - URL guard prevents Keycloak selectors from clicking Cisco ACS pages. - Auth redirect reads 302 `Location` from `vpn.lemanapro.ru` without following a TLS-reset-prone final headend GET. - `LEMANA_VPN_AUTOFILL_CLICK=0` disables submit for manual mode. - `LEMANA_VPN_AUTOFILL_DISABLE=1` disables autofill for low-level diagnosis. Apply patches without connecting: ```sh vpn-lemanapro.sh --patch-only ``` ## Modes - `vpn` / `vpn-auto`: hidden browser, autofill, auto-submit. - `vpn --manual` / `vpn-manual`: visible browser, autofill, no submit. - `vpn --manual-full` / `vpn-manual-full`: visible browser, no autofill, no submit. - `vpn-debug`: visible browser and raw logs. When diagnosing SSO, use manual mode first. Do not repeatedly start automatic mode if a connection attempt is already in progress. ## Testing For any SSO/autofill patch: ```sh bash -n bin/vpn-lemanapro.sh tests/smoke.sh ``` If live behavior must be checked: ```sh vpn --status vpn --manual vpn --manual-full tail -f ~/Library/Logs/LemanaVPN-openconnect-lite.log ``` Skip live reconnect when VPN is already connected unless the user explicitly approves disrupting the current session. ## Troubleshooting Signals - Looping on `employee.auth.lemanapro.ru/.../login-actions/authenticate`: check autofill events and Keycloak selectors. - `SSLEOFError` / `UNEXPECTED_EOF_WHILE_READING` on `sslvpna` or `sslvpnb`: check the auth redirect patch. - Menu-bar app shows credential failure without a prompt: use terminal `vpn --configure-keychain`; GUI should not wait for stdin.