From a1b49fde473c484a20099da4f233639b2fc4bcbe Mon Sep 17 00:00:00 2001
From: Kevin Yue <yuezk001@gmail.com>
Date: Sun, 28 May 2023 14:04:22 +0800
Subject: [PATCH] refactor: add auth window

---
 Cargo.lock                          |  12 ++
 gpauth/Cargo.toml                   |   2 +
 gpauth/src/auth_service.rs          |  54 +++++
 gpauth/src/duplex.rs                |  35 ++++
 gpauth/src/lib.rs                   |  20 +-
 gpauth/src/main.rs                  |  90 +++++----
 gpauth/src/saml.rs                  | 233 ++++++++++++++++++++++
 gpgui/public/auth.html              |  12 ++
 gpgui/src-tauri/Cargo.toml          |   7 +-
 gpgui/src-tauri/src/auth.rs         | 297 ++++++++++++++++++++++++++++
 gpgui/src-tauri/src/main.rs         |  28 ++-
 gpgui/src/App.tsx                   |  17 +-
 gpgui/src/services/authService.ts   |  53 +++++
 gpgui/src/services/portalService.ts |   8 +-
 gpgui/src/services/vpnService.ts    |  26 +--
 gpgui/src/utils/invokeCommand.ts    |   9 +
 16 files changed, 821 insertions(+), 82 deletions(-)
 create mode 100644 gpauth/src/auth_service.rs
 create mode 100644 gpauth/src/duplex.rs
 create mode 100644 gpauth/src/saml.rs
 create mode 100644 gpgui/public/auth.html
 create mode 100644 gpgui/src-tauri/src/auth.rs
 create mode 100644 gpgui/src/services/authService.ts
 create mode 100644 gpgui/src/utils/invokeCommand.ts

diff --git a/Cargo.lock b/Cargo.lock
index 782b251..cb9354c 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -54,11 +54,14 @@ dependencies = [
  "env_logger",
  "gpcommon",
  "log",
+ "regex",
  "serde",
  "serde_json",
  "tauri",
  "tauri-build",
  "tauri-plugin-log",
+ "url",
+ "webkit2gtk",
 ]
 
 [[package]]
@@ -535,6 +538,12 @@ version = "2.3.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "23d8666cb01533c39dde32bcbab8e227b4ed6679b2c925eba05feabea39508fb"
 
+[[package]]
+name = "data-url"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8d7439c3735f405729d52c3fbbe4de140eaf938a1fe47d227c27f8254d4302a5"
+
 [[package]]
 name = "derive_more"
 version = "0.99.17"
@@ -1076,6 +1085,8 @@ dependencies = [
 name = "gpauth"
 version = "0.1.0"
 dependencies = [
+ "regex",
+ "tokio",
  "webkit2gtk",
  "wry",
 ]
@@ -2819,6 +2830,7 @@ dependencies = [
  "anyhow",
  "attohttpc",
  "cocoa",
+ "data-url",
  "dirs-next",
  "embed_plist",
  "encoding_rs",
diff --git a/gpauth/Cargo.toml b/gpauth/Cargo.toml
index 197e179..500fcf7 100644
--- a/gpauth/Cargo.toml
+++ b/gpauth/Cargo.toml
@@ -8,3 +8,5 @@ edition = "2021"
 [dependencies]
 wry = "0.24.3"
 webkit2gtk = "0.18.2"
+tokio = { version = "1.14", features = ["full"] }
+regex="1"
\ No newline at end of file
diff --git a/gpauth/src/auth_service.rs b/gpauth/src/auth_service.rs
new file mode 100644
index 0000000..cac4c11
--- /dev/null
+++ b/gpauth/src/auth_service.rs
@@ -0,0 +1,54 @@
+use crate::{
+    duplex::duplex,
+    saml::{SamlAuth, SamlBinding, SamlOptions},
+    DuplexStreamHandle,
+};
+use std::sync::Arc;
+use tokio::sync::Mutex;
+
+#[derive(Debug)]
+pub struct AuthService {
+    server: DuplexStreamHandle,
+    client: Arc<Mutex<DuplexStreamHandle>>,
+    saml_auth: Arc<SamlAuth>,
+}
+
+impl Default for AuthService {
+    fn default() -> Self {
+        let (client, server) = duplex(4096);
+        Self {
+            client: Arc::new(Mutex::new(client)),
+            server,
+            saml_auth: Default::default(),
+        }
+    }
+}
+
+impl AuthService {
+    pub async fn run(&mut self) {
+        loop {
+            println!("Server waiting for data");
+            match self.server.read().await {
+                Ok(data) => {
+                    println!("Server received: {}", data);
+                    let target = String::from("https://login.microsoftonline.com/901c038b-4638-4259-b115-c1753c7735aa/saml2?SAMLRequest=lVLBbsIwDP2VKveSNGlaiGilDg5DYlpFux12mdIQIFKbdEmKtr8fhaGxC9Lkk%2BXnZ79nzx3v2p4Vgz%2FojfwYpPPBZ9dqx86FDAxWM8OdckzzTjrmBauKpzXDE8R6a7wRpgVB4Zy0Xhm9MNoNnbSVtEcl5MtmnYGD971jEB57PemUsMZ5y73cf02E6VgcEzgyYgSrEhaLCgTL0xZK85Hvt7s1e3XtNztvdKu0HBngDEUCkWkTxgmZhjGms7CJIhqKKKVEpCmhnMNRDgbBapmBdzpL5BZFEu0oalKMpglttukpaBLHuEEnmHODXGnnufYZwAiTENEQ0xoljBJGyBsIyh%2F1D0pvld7ft6q5gBx7rOsyLJ%2BrGgSv0rqzxBMA5PNxQ3YebG9OcJ%2BWX30H%2BT9cnsObWfkl%2B%2FsD%2BTc%3D&RelayState=HEgCAOLrNmRmZTBkM2FlNDE2MDQyMDhjZTVmMTZlMTdiZTdiMTliNg%3D%3D");
+                    let ua = String::from("PAN GlobalProtect");
+
+                    let saml_options = SamlOptions::new(SamlBinding::Redirect, target, ua);
+                    let saml_auth = self.saml_auth.clone();
+                    tokio::spawn(async move {
+                        saml_auth.process(saml_options).await;
+                    });
+                    // self.server.write(&data).await.expect("write failed");
+                }
+                Err(err) => {
+                    println!("Server error: {:?}", err);
+                }
+            }
+        }
+    }
+
+    pub fn client(&self) -> Arc<Mutex<DuplexStreamHandle>> {
+        self.client.clone()
+    }
+}
diff --git a/gpauth/src/duplex.rs b/gpauth/src/duplex.rs
new file mode 100644
index 0000000..d7525a4
--- /dev/null
+++ b/gpauth/src/duplex.rs
@@ -0,0 +1,35 @@
+use tokio::io::{AsyncReadExt, AsyncWriteExt, DuplexStream};
+
+#[derive(Debug)]
+pub struct DuplexStreamHandle {
+    stream: DuplexStream,
+    buf_size: usize,
+}
+
+impl DuplexStreamHandle {
+    fn new(stream: DuplexStream, buf_size: usize) -> Self {
+        Self { stream, buf_size }
+    }
+
+    pub async fn write(&mut self, data: &str) -> Result<(), Box<dyn std::error::Error>> {
+        self.stream.write_all(data.as_bytes()).await?;
+        Ok(())
+    }
+
+    pub async fn read(&mut self) -> Result<String, Box<dyn std::error::Error>> {
+        let mut buffer = vec![0; self.buf_size];
+        match self.stream.read(&mut buffer).await {
+            Ok(0) => Err("EOF".into()),
+            Ok(n) => Ok(String::from_utf8_lossy(&buffer[..n]).to_string()),
+            Err(err) => Err(err.to_string().into()),
+        }
+    }
+}
+
+pub(crate) fn duplex(max_buf_size: usize) -> (DuplexStreamHandle, DuplexStreamHandle) {
+    let (a, b) = tokio::io::duplex(max_buf_size);
+    (
+        DuplexStreamHandle::new(a, max_buf_size),
+        DuplexStreamHandle::new(b, max_buf_size),
+    )
+}
\ No newline at end of file
diff --git a/gpauth/src/lib.rs b/gpauth/src/lib.rs
index 7d12d9a..63aec16 100644
--- a/gpauth/src/lib.rs
+++ b/gpauth/src/lib.rs
@@ -1,14 +1,8 @@
-pub fn add(left: usize, right: usize) -> usize {
-    left + right
-}
+mod auth_service;
+mod saml;
+mod duplex;
 
-#[cfg(test)]
-mod tests {
-    use super::*;
-
-    #[test]
-    fn it_works() {
-        let result = add(2, 2);
-        assert_eq!(result, 4);
-    }
-}
+pub use auth_service::AuthService;
+pub use duplex::DuplexStreamHandle;
+pub use saml::saml_login;
+pub use saml::SamlBinding;
\ No newline at end of file
diff --git a/gpauth/src/main.rs b/gpauth/src/main.rs
index 6b10091..001a847 100644
--- a/gpauth/src/main.rs
+++ b/gpauth/src/main.rs
@@ -1,45 +1,55 @@
-use webkit2gtk::LoadEvent;
-use webkit2gtk::URIResponseExt;
-use webkit2gtk::WebResourceExt;
-use webkit2gtk::WebViewExt;
-use wry::application::event::Event;
-use wry::application::event::StartCause;
-use wry::application::event::WindowEvent;
-use wry::application::event_loop::ControlFlow;
-use wry::application::event_loop::EventLoop;
-use wry::application::window::WindowBuilder;
-use wry::webview::WebViewBuilder;
-use wry::webview::WebviewExtUnix;
+use gpauth::{AuthService, saml_login, SamlBinding};
 
-fn main() -> wry::Result<()> {
-    let event_loop = EventLoop::new();
-    let window = WindowBuilder::new()
-        .with_title("Hello World")
-        .build(&event_loop)?;
-    let _webview = WebViewBuilder::new(window)?
-        .with_url("https://tauri.studio")?
-        .build()?;
+#[tokio::main]
+async fn main() {
+    let url = String::from("https://globalprotect.kochind.com/global-protect/prelogin.esp?tmp=tmp&kerberos-support=yes&ipv6-support=yes&clientVer=4100&clientos=Linux");
+    let _html = String::from(
+        r#"<html>
+    <body>
+    <form id="myform" method="POST" action="https://auth.kochid.com/idp/SSO.saml2">
+    <input type="hidden" name="SAMLRequest" value="PHNhbWxwOkF1dGhuUmVxdWVzdCB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiBBc3NlcnRpb25Db25zdW1lclNlcnZpY2VVUkw9Imh0dHBzOi8vZ2xvYmFscHJvdGVjdC5rb2NoaW5kLmNvbTo0NDMvU0FNTDIwL1NQL0FDUyIgRGVzdGluYXRpb249Imh0dHBzOi8vYXV0aC5rb2NoaWQuY29tL2lkcC9TU08uc2FtbDIiIElEPSJfZmEzZTA4NDE5NjdkZTdlYzUyNzc4Nzc4YzBkOTViMDEiIElzc3VlSW5zdGFudD0iMjAyMy0wNS0yNFQwNToyNDo1OVoiIFByb3RvY29sQmluZGluZz0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmJpbmRpbmdzOkhUVFAtUE9TVCIgVmVyc2lvbj0iMi4wIj48c2FtbDpJc3N1ZXIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+aHR0cHM6Ly9nbG9iYWxwcm90ZWN0LmtvY2hpbmQuY29tOjQ0My9TQU1MMjAvU1A8L3NhbWw6SXNzdWVyPjwvc2FtbHA6QXV0aG5SZXF1ZXN0Pg==" />
+    <input type="hidden" name="RelayState" value="rgbNAP1wSGI0NGE1ZDZjOGM4YTkzNjk5NWNhY2JlZjkwMWJmMzIwYg==" />
+    </form>
+    <script>
+      document.getElementById('myform').subm{
+    let (client, server) = duplex(1);
+    AuthService { client, server }
+}>
+    </body>
+    </html>
+    "#,
+    );
 
-    let wv = _webview.webview();
-    wv.connect_load_changed(|wv, load_event| {
-        if load_event == LoadEvent::Finished {
-            let response = wv.main_resource().unwrap().response().unwrap();
-            response.http_headers().unwrap().foreach(|k, v| {
-                println!("{}: {}", k, v);
-            });
+    let ua = String::from("PAN GlobalProtect");
+    match saml_login(SamlBinding::Redirect, url, ua) {
+        Ok(saml_result) => {
+            println!("SAML result: {:?}", saml_result);
         }
-    });
-
-    event_loop.run(move |event, _, control_flow| {
-        *control_flow = ControlFlow::Wait;
-
-        match event {
-            Event::NewEvents(StartCause::Init) => println!("Wry has started!"),
-            Event::WindowEvent {
-                event: WindowEvent::CloseRequested,
-                ..
-            } => *control_flow = ControlFlow::Exit,
-            _ => (),
+        Err(err) => {
+            println!("Error: {:?}", err);
         }
-    });
+    }
+
+    // let mut auth_service = AuthService::default();
+    // let client = auth_service.client();
+
+    // tokio::spawn(async move {
+    //     let mut client = client.lock().await;
+    //     client.write("Hello").await.expect("write failed");
+
+    //     loop {
+    //         if let Ok(data) = client.read().await {
+    //             println!("Received: {}", data);
+    //         }
+    //     }
+    // });
+
+    // tokio::select! {
+    //     _ = auth_service.run() => {
+    //         println!("AuthService exited");
+    //     }
+    //     _ = tokio::signal::ctrl_c() => {
+    //         println!("Ctrl-C received, exiting");
+    //     }
+    // }
 }
diff --git a/gpauth/src/saml.rs b/gpauth/src/saml.rs
new file mode 100644
index 0000000..2484fbc
--- /dev/null
+++ b/gpauth/src/saml.rs
@@ -0,0 +1,233 @@
+use regex::Regex;
+use std::{cell::RefCell, rc::Rc};
+use webkit2gtk::gio::Cancellable;
+use webkit2gtk::glib::GString;
+use webkit2gtk::{LoadEvent, URIResponseExt, WebResourceExt, WebViewExt};
+use wry::application::event::{Event, StartCause, WindowEvent};
+use wry::application::event_loop::{ControlFlow, EventLoop, EventLoopProxy};
+use wry::application::platform::run_return::EventLoopExtRunReturn;
+use wry::application::window::WindowBuilder;
+use wry::webview::{WebViewBuilder, WebviewExtUnix};
+
+#[derive(Debug, Default)]
+pub(crate) struct SamlAuth {}
+
+pub(crate) struct SamlOptions {
+    binding: SamlBinding,
+    target: String,
+    user_agent: String,
+}
+
+impl SamlOptions {
+    pub fn new(binding: SamlBinding, target: String, user_agent: String) -> Self {
+        Self {
+            binding,
+            target,
+            user_agent,
+        }
+    }
+}
+
+impl SamlAuth {
+    pub async fn process(&self, options: SamlOptions) -> Result<(), Box<dyn std::error::Error>> {
+        let saml_result = saml_login(options.binding, options.target, options.user_agent);
+        println!("SAML result: {:?}", saml_result);
+        Ok(())
+    }
+}
+
+pub enum SamlBinding {
+    Redirect,
+    Post,
+}
+
+#[derive(Debug, Clone)]
+pub struct SamlResult {
+    username: Option<String>,
+    prelogin_cookie: Option<String>,
+    portal_userauthcookie: Option<String>,
+}
+
+impl SamlResult {
+    fn new(
+        username: Option<String>,
+        prelogin_cookie: Option<String>,
+        portal_userauthcookie: Option<String>,
+    ) -> Self {
+        Self {
+            username,
+            prelogin_cookie,
+            portal_userauthcookie,
+        }
+    }
+
+    fn check(&self) -> bool {
+        self.username.is_some()
+            && (self.prelogin_cookie.is_some() || self.portal_userauthcookie.is_some())
+    }
+}
+
+#[derive(Debug, PartialEq)]
+enum SamlResultError {
+    NotFound,
+    Invalid,
+}
+
+#[derive(Debug)]
+enum UserEvent {
+    SamlSuccess(SamlResult),
+    SamlError(String),
+}
+
+pub fn saml_login(
+    binding: SamlBinding,
+    target: String,
+    user_agent: String,
+) -> Result<SamlResult, Box<dyn std::error::Error>> {
+    let mut event_loop: EventLoop<UserEvent> = EventLoop::with_user_event();
+    let event_proxy = event_loop.create_proxy();
+
+    let window = WindowBuilder::new()
+        .with_title("GlobalProtect Login")
+        .build(&event_loop)?;
+
+    let wv_builder = WebViewBuilder::new(window)?.with_user_agent(&user_agent);
+    let wv_builder = if let SamlBinding::Redirect = binding {
+        wv_builder.with_url(&target)?
+    } else {
+        wv_builder.with_html(&target)?
+    };
+
+    let wv = wv_builder.build()?;
+    let wv = wv.webview();
+
+    wv.connect_load_changed(move |webview, event| {
+        if let LoadEvent::Finished = event {
+            if let Some(main_resource) = webview.main_resource() {
+                // Read the SAML result from the HTTP headers
+                if let Some(response) = main_resource.response() {
+                    if let Some(saml_result) = read_saml_result_from_response(&response) {
+                        println!("Got SAML result from HTTP headers");
+                        return emit_event(&event_proxy, UserEvent::SamlSuccess(saml_result));
+                    }
+                }
+
+                // Read the SAML result from the HTTP body
+                let event_proxy = event_proxy.clone();
+                main_resource.data(Cancellable::NONE, move |data| {
+                    if let Ok(data) = data {
+                        match read_saml_result_from_html(&data) {
+                            Ok(saml_result) => {
+                                println!("Got SAML result from HTTP body");
+                                emit_event(&event_proxy, UserEvent::SamlSuccess(saml_result));
+                            }
+                            Err(err) if err == SamlResultError::Invalid => {
+                                println!("Error reading SAML result from HTTP body: {:?}", err);
+                                emit_event(
+                                    &event_proxy,
+                                    UserEvent::SamlError("Invalid SAML result".into()),
+                                );
+                            }
+                            Err(_) => {
+                                println!("SAML result not found in HTTP body");
+                            }
+                        }
+                    }
+                });
+            }
+        }
+    });
+
+    let saml_result: Rc<RefCell<Option<SamlResult>>> = Rc::new(RefCell::new(None));
+    let saml_result_clone = saml_result.clone();
+
+    let exit_code = event_loop.run_return(move |event, _, control_flow| {
+        *control_flow = ControlFlow::Wait;
+
+        match event {
+            Event::NewEvents(StartCause::Init) => println!("Wry has started!"),
+            Event::WindowEvent {
+                event: WindowEvent::CloseRequested,
+                ..
+            } => {
+                println!("User closed the window");
+                *control_flow = ControlFlow::Exit
+            }
+            Event::UserEvent(UserEvent::SamlSuccess(result)) => {
+                *saml_result_clone.borrow_mut() = Some(result);
+                *control_flow = ControlFlow::Exit;
+            }
+            Event::UserEvent(UserEvent::SamlError(_)) => {
+                println!("Error reading SAML result");
+                wv.load_uri("https://baidu.com");
+            }
+            _ => (),
+        }
+    });
+    println!("Exit code: {:?}", exit_code);
+
+    let saml_result = if let Some(saml_result) = saml_result.borrow().clone() {
+        println!("SAML result: {:?}", saml_result);
+        Ok(saml_result)
+    } else {
+        println!("SAML result: None");
+        // TODO: Return a proper error
+        Err("SAML result not found".into())
+    };
+
+    saml_result
+}
+
+fn read_saml_result_from_response(response: &webkit2gtk::URIResponse) -> Option<SamlResult> {
+    response.http_headers().and_then(|mut headers| {
+        let saml_result = SamlResult::new(
+            headers.get("saml-username").map(GString::into),
+            headers.get("prelogin-cookie").map(GString::into),
+            headers.get("portal-userauthcookie").map(GString::into),
+        );
+
+        if saml_result.check() {
+            Some(saml_result)
+        } else {
+            None
+        }
+    })
+}
+
+fn read_saml_result_from_html(data: &[u8]) -> Result<SamlResult, SamlResultError> {
+    let body = String::from_utf8_lossy(data);
+    let saml_auth_status = parse_saml_tag(&body, "saml-auth-status");
+
+    match saml_auth_status {
+        Some(status) if status == "1" => extract_saml_result(&body).ok_or(SamlResultError::Invalid),
+        Some(status) if status == "-1" => Err(SamlResultError::Invalid),
+        _ => Err(SamlResultError::NotFound),
+    }
+}
+
+fn extract_saml_result(body: &str) -> Option<SamlResult> {
+    let saml_result = SamlResult::new(
+        parse_saml_tag(body, "saml-username"),
+        parse_saml_tag(body, "prelogin-cookie"),
+        parse_saml_tag(body, "portal-userauthcookie"),
+    );
+
+    if saml_result.check() {
+        Some(saml_result)
+    } else {
+        None
+    }
+}
+
+fn parse_saml_tag(body: &str, tag: &str) -> Option<String> {
+    let re = Regex::new(&format!("<{}>(.*)</{}>", tag, tag)).unwrap();
+    re.captures(body)
+        .and_then(|captures| captures.get(1))
+        .map(|m| m.as_str().to_string())
+}
+
+fn emit_event(event_proxy: &EventLoopProxy<UserEvent>, event: UserEvent) {
+    if let Err(err) = event_proxy.send_event(event) {
+        println!("Error sending event: {:?}", err);
+    }
+}
diff --git a/gpgui/public/auth.html b/gpgui/public/auth.html
new file mode 100644
index 0000000..8318c97
--- /dev/null
+++ b/gpgui/public/auth.html
@@ -0,0 +1,12 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta http-equiv="X-UA-Compatible" content="IE=edge">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>GlobalProtect Login</title>
+</head>
+<body>
+    <p>Redirecting...</p>
+</body>
+</html>
\ No newline at end of file
diff --git a/gpgui/src-tauri/Cargo.toml b/gpgui/src-tauri/Cargo.toml
index c8c086b..bceb869 100644
--- a/gpgui/src-tauri/Cargo.toml
+++ b/gpgui/src-tauri/Cargo.toml
@@ -15,13 +15,16 @@ rust-version = "1.59"
 tauri-build = { version = "1.3", features = [] }
 
 [dependencies]
-tauri = { version = "1.3", features = ["http-all"] }
+gpcommon = { path = "../../gpcommon" }
+tauri = { version = "1.3", features = ["http-all", "window-data-url"] }
 tauri-plugin-log = { git = "https://github.com/tauri-apps/plugins-workspace", branch = "v1" }
 serde_json = "1.0"
 serde = { version = "1.0", features = ["derive"] }
 log = "0.4"
 env_logger = "0.10"
-gpcommon = { path = "../../gpcommon" }
+webkit2gtk = "0.18.2"
+regex = "1"
+url = "2.3"
 
 [features]
 # by default Tauri runs in production mode
diff --git a/gpgui/src-tauri/src/auth.rs b/gpgui/src-tauri/src/auth.rs
new file mode 100644
index 0000000..d318a6b
--- /dev/null
+++ b/gpgui/src-tauri/src/auth.rs
@@ -0,0 +1,297 @@
+use regex::Regex;
+use serde::{Deserialize, Serialize};
+use std::sync::{Arc};
+use tauri::{AppHandle, Manager, WindowBuilder, WindowEvent::CloseRequested, WindowUrl};
+use url::Url;
+use webkit2gtk::{
+    gio::Cancellable, glib::GString, traits::WebViewExt, LoadEvent, URIResponseExt, WebResource,
+    WebResourceExt,
+};
+
+const AUTH_WINDOW_LABEL: &str = "auth_window";
+const AUTH_SUCCESS_EVENT: &str = "auth-success";
+const AUTH_ERROR_EVENT: &str = "auth-error";
+const AUTH_CANCEL_EVENT: &str = "auth-cancel";
+const AUTH_REQUEST_EVENT: &str = "auth-request";
+
+#[derive(Debug, Deserialize)]
+pub(crate) enum SamlBinding {
+    #[serde(rename = "REDIRECT")]
+    Redirect,
+    #[serde(rename = "POST")]
+    Post,
+}
+
+pub(crate) struct AuthOptions {
+    saml_binding: SamlBinding,
+    saml_request: String,
+    user_agent: String,
+}
+
+#[derive(Debug, Deserialize)]
+struct AuthRequestPayload {
+    #[serde(alias = "samlRequest")]
+    saml_request: String,
+}
+
+impl AuthOptions {
+    pub fn new(saml_binding: SamlBinding, saml_request: String, user_agent: String) -> Self {
+        Self {
+            saml_binding,
+            saml_request,
+            user_agent,
+        }
+    }
+}
+
+#[derive(Debug, Clone, Serialize)]
+pub struct AuthData {
+    username: Option<String>,
+    prelogin_cookie: Option<String>,
+    portal_userauthcookie: Option<String>,
+}
+
+impl AuthData {
+    fn new(
+        username: Option<String>,
+        prelogin_cookie: Option<String>,
+        portal_userauthcookie: Option<String>,
+    ) -> Self {
+        Self {
+            username,
+            prelogin_cookie,
+            portal_userauthcookie,
+        }
+    }
+
+    fn check(&self) -> bool {
+        self.username.is_some()
+            && (self.prelogin_cookie.is_some() || self.portal_userauthcookie.is_some())
+    }
+}
+
+#[derive(Debug)]
+enum AuthError {
+    NotFound,
+    Invalid,
+}
+
+#[derive(Debug)]
+struct AuthEventEmitter {
+    app_handle: AppHandle,
+}
+
+impl AuthEventEmitter {
+    fn new(app_handle: AppHandle) -> Self {
+        Self { app_handle }
+    }
+
+    fn emit_success(&self, saml_result: AuthData) {
+        self.app_handle.emit_all(AUTH_SUCCESS_EVENT, saml_result);
+        if let Some(window) = self.app_handle.get_window(AUTH_WINDOW_LABEL) {
+            window.close();
+        }
+    }
+
+    fn emit_error(&self, error: String) {
+        self.app_handle.emit_all(AUTH_ERROR_EVENT, error);
+    }
+
+    fn emit_cancel(&self) {
+        self.app_handle.emit_all(AUTH_CANCEL_EVENT, ());
+    }
+}
+
+#[derive(Debug)]
+pub(crate) struct AuthWindow {
+    event_emitter: Arc<AuthEventEmitter>,
+    app_handle: AppHandle,
+    saml_binding: SamlBinding,
+    user_agent: String,
+}
+
+impl AuthWindow {
+    pub fn new(app_handle: AppHandle, saml_binding: SamlBinding, user_agent: String) -> Self {
+        Self {
+            event_emitter: Arc::new(AuthEventEmitter::new(app_handle.clone())),
+            app_handle,
+            saml_binding,
+            user_agent,
+        }
+    }
+
+    pub fn process(&self, saml_request: String) -> tauri::Result<()> {
+        let url = self.window_url(&saml_request)?;
+        let window = WindowBuilder::new(&self.app_handle, AUTH_WINDOW_LABEL, url)
+            .title("GlobalProtect Login")
+            .user_agent(&self.user_agent)
+            .always_on_top(true)
+            .focused(true)
+            .center()
+            .build()?;
+
+        let event_emitter = self.event_emitter.clone();
+        let is_post = matches!(self.saml_binding, SamlBinding::Post);
+
+        window.with_webview(move |wv| {
+            let wv = wv.inner();
+            // Load SAML request as HTML if POST binding is used
+            if is_post {
+                wv.load_html(&saml_request, None);
+            }
+            wv.connect_load_changed(move |wv, event| {
+                if LoadEvent::Finished == event {
+                    if let Some(uri) = wv.uri() {
+                        if uri.is_empty() {
+                            println!("Empty URI");
+                            event_emitter.emit_error("Empty URI".to_string());
+                            return;
+                        } else {
+                            println!("Loaded URI: {}", uri);
+                        }
+                    }
+
+                    if let Some(main_res) = wv.main_resource() {
+                        AuthResultParser::new(&event_emitter).parse(&main_res);
+                    }
+                }
+            });
+        })?;
+
+        let event_emitter = self.event_emitter.clone();
+        window.on_window_event(move |event| {
+            if let CloseRequested { .. } = event {
+                event_emitter.emit_cancel();
+            }
+        });
+
+        let window_clone = window.clone();
+        window.listen_global(AUTH_REQUEST_EVENT, move |event| {
+            let auth_request_payload: AuthRequestPayload = serde_json::from_str(event.payload().unwrap()).unwrap();
+            let saml_request = auth_request_payload.saml_request;
+
+            window_clone.with_webview(move |wv| {
+                let wv = wv.inner();
+                if is_post {
+                    // Load SAML request as HTML if POST binding is used
+                    wv.load_html(&saml_request, None);
+                } else {
+                    println!("Redirecting to SAML request URL: {}", saml_request);
+                    // Redirect to SAML request URL if REDIRECT binding is used
+                    wv.load_uri(&saml_request);
+                }
+            });
+        });
+
+        Ok(())
+    }
+
+    fn window_url(&self, saml_request: &String) -> tauri::Result<WindowUrl> {
+        match self.saml_binding {
+            SamlBinding::Redirect => match Url::parse(saml_request) {
+                Ok(url) => Ok(WindowUrl::External(url)),
+                Err(err) => Err(tauri::Error::InvalidUrl(err)),
+            },
+            SamlBinding::Post => Ok(WindowUrl::App("auth.html".into())),
+        }
+    }
+}
+
+struct AuthResultParser<'a> {
+    event_emitter: &'a Arc<AuthEventEmitter>,
+}
+
+impl<'a> AuthResultParser<'a> {
+    fn new(event_emitter: &'a Arc<AuthEventEmitter>) -> Self {
+        Self { event_emitter }
+    }
+
+    fn parse(&self, main_res: &WebResource) {
+        if let Some(response) = main_res.response() {
+            if let Some(saml_result) = read_auth_result_from_response(&response) {
+                // Got SAML result from HTTP headers
+                println!("SAML result: {:?}", saml_result);
+                self.event_emitter.emit_success(saml_result);
+                return;
+            }
+        }
+
+        let event_emitter = self.event_emitter.clone();
+        main_res.data(Cancellable::NONE, move |data| {
+            if let Ok(data) = data {
+                let html = String::from_utf8_lossy(&data);
+                match read_auth_result_from_html(&html) {
+                    Ok(saml_result) => {
+                        // Got SAML result from HTML
+                        println!("SAML result: {:?}", saml_result);
+                        event_emitter.emit_success(saml_result);
+                        return;
+                    }
+                    Err(AuthError::Invalid) => {
+                        // Invalid SAML result
+                        println!("Invalid SAML result");
+                        event_emitter.emit_error("Invalid SAML result".to_string())
+                    }
+                    Err(AuthError::NotFound) => {
+                        let has_form = html.contains("</form>");
+                        if has_form {
+                            // SAML form found
+                            println!("SAML form found");
+                        } else {
+                            // No SAML form found
+                            println!("No SAML form found");
+                        }
+                    },
+                }
+            }
+        });
+    }
+}
+
+fn read_auth_result_from_response(response: &webkit2gtk::URIResponse) -> Option<AuthData> {
+    response.http_headers().and_then(|mut headers| {
+        let saml_result = AuthData::new(
+            headers.get("saml-username").map(GString::into),
+            headers.get("prelogin-cookie").map(GString::into),
+            headers.get("portal-userauthcookie").map(GString::into),
+        );
+
+        if saml_result.check() {
+            Some(saml_result)
+        } else {
+            None
+        }
+    })
+}
+
+fn read_auth_result_from_html(html: &str) -> Result<AuthData, AuthError> {
+    let saml_auth_status = parse_xml_tag(html, "saml-auth-status");
+    
+
+    match saml_auth_status {
+        Some(status) if status == "1" => extract_auth_data(html).ok_or(AuthError::Invalid),
+        Some(status) if status == "-1" => Err(AuthError::Invalid),
+        _ => Err(AuthError::NotFound),
+    }
+}
+
+fn extract_auth_data(html: &str) -> Option<AuthData> {
+    let auth_data = AuthData::new(
+        parse_xml_tag(html, "saml-username"),
+        parse_xml_tag(html, "prelogin-cookie"),
+        parse_xml_tag(html, "portal-userauthcookie"),
+    );
+
+    if auth_data.check() {
+        Some(auth_data)
+    } else {
+        None
+    }
+}
+
+fn parse_xml_tag(html: &str, tag: &str) -> Option<String> {
+    let re = Regex::new(&format!("<{}>(.*)</{}>", tag, tag)).unwrap();
+    re.captures(html)
+        .and_then(|captures| captures.get(1))
+        .map(|m| m.as_str().to_string())
+}
diff --git a/gpgui/src-tauri/src/main.rs b/gpgui/src-tauri/src/main.rs
index 8dae445..aef73e5 100644
--- a/gpgui/src-tauri/src/main.rs
+++ b/gpgui/src-tauri/src/main.rs
@@ -3,13 +3,16 @@
     windows_subsystem = "windows"
 )]
 
-use gpcommon::{Client, ServerApiError, VpnStatus};
+use auth::{SamlBinding, AuthWindow};
 use env_logger::Env;
+use gpcommon::{Client, ServerApiError, VpnStatus};
 use serde::Serialize;
 use std::sync::Arc;
-use tauri::{Manager, State};
+use tauri::{AppHandle, Manager, State};
 use tauri_plugin_log::LogTarget;
 
+mod auth;
+
 #[tauri::command]
 async fn vpn_status<'a>(client: State<'a, Arc<Client>>) -> Result<VpnStatus, ServerApiError> {
     client.status().await
@@ -29,6 +32,20 @@ async fn vpn_disconnect<'a>(client: State<'a, Arc<Client>>) -> Result<(), Server
     client.disconnect().await
 }
 
+#[tauri::command]
+async fn saml_login(
+    binding: SamlBinding,
+    request: String,
+    app_handle: AppHandle,
+) -> tauri::Result<()> {
+    let auth_window = AuthWindow::new(app_handle, binding, String::from("PAN GlobalProtect"));
+    if let Err(err) = auth_window.process(request) {
+        println!("Error processing auth window: {}", err);
+        return Err(err);
+    }
+    Ok(())
+}
+
 #[derive(Debug, Clone, Serialize)]
 struct StatusPayload {
     status: VpnStatus,
@@ -43,11 +60,11 @@ fn setup(app: &mut tauri::App) -> Result<(), Box<dyn std::error::Error>> {
         let _ = client_clone.subscribe_status(move |status| {
             let payload = StatusPayload { status };
             if let Err(err) = app_handle.emit_all("vpn-status-received", payload) {
-                println!("Error emmiting event: {}", err);
+                println!("Error emitting event: {}", err);
             }
         });
 
-        let _ = client_clone.run().await;
+        // let _ = client_clone.run().await;
     });
 
     app.manage(client);
@@ -70,7 +87,8 @@ fn main() {
         .invoke_handler(tauri::generate_handler![
             vpn_status,
             vpn_connect,
-            vpn_disconnect
+            vpn_disconnect,
+            saml_login,
         ])
         .run(tauri::generate_context!())
         .expect("error while running tauri application");
diff --git a/gpgui/src/App.tsx b/gpgui/src/App.tsx
index ebfcd7a..de9c082 100644
--- a/gpgui/src/App.tsx
+++ b/gpgui/src/App.tsx
@@ -12,9 +12,10 @@ import PasswordAuth, {
 import gatewayService from "./services/gatewayService";
 import portalService from "./services/portalService";
 import vpnService from "./services/vpnService";
+import authService from "./services/authService";
 
 export default function App() {
-  const [portalAddress, setPortalAddress] = useState("220.191.185.154");
+  const [portalAddress, setPortalAddress] = useState("vpn.microstrategy.com"); // useState("220.191.185.154");
   const [status, setStatus] = useState<Status>("disconnected");
   const [processing, setProcessing] = useState(false);
   const [passwordAuthOpen, setPasswordAuthOpen] = useState(false);
@@ -35,6 +36,16 @@ export default function App() {
     });
   }, []);
 
+  useEffect(() => {
+    authService.onAuthSuccess((data) => {});
+    authService.onAuthError(async () => {
+      const preloginResponse = await portalService.prelogin(portalAddress);
+      // Retry SAML login when auth error occurs
+      authService.emitAuthRequest(preloginResponse.samlAuthRequest!);
+    });
+    authService.onAuthCancel(() => {});
+  }, [portalAddress]);
+
   function closeNotification() {
     setNotification((notification) => ({
       ...notification,
@@ -62,7 +73,8 @@ export default function App() {
       const response = await portalService.prelogin(portalAddress);
 
       if (portalService.isSamlAuth(response)) {
-        // TODO SAML login
+        const { samlAuthMethod, samlAuthRequest } = response;
+        await authService.samlLogin(samlAuthMethod, samlAuthRequest);
       } else if (portalService.isPasswordAuth(response)) {
         setPasswordAuthOpen(true);
         setPasswordAuth({
@@ -74,6 +86,7 @@ export default function App() {
         throw new Error("Unsupported portal login method");
       }
     } catch (e) {
+      console.error(e);
       setProcessing(false);
     }
   }
diff --git a/gpgui/src/services/authService.ts b/gpgui/src/services/authService.ts
new file mode 100644
index 0000000..3d8f477
--- /dev/null
+++ b/gpgui/src/services/authService.ts
@@ -0,0 +1,53 @@
+import { Event, emit, listen } from "@tauri-apps/api/event";
+import invokeCommand from "../utils/invokeCommand";
+
+type AuthData = {
+  username: string;
+  prelogin_cookie: string | null;
+  portal_userauthcookie: string | null;
+};
+
+class AuthService {
+  private authSuccessCallback: ((data: AuthData) => void) | undefined;
+  private authErrorCallback: (() => void) | undefined;
+  private authCancelCallback: (() => void) | undefined;
+
+  constructor() {
+    this.init();
+  }
+
+  private async init() {
+    await listen("auth-success", (event: Event<AuthData>) => {
+      this.authSuccessCallback?.(event.payload);
+    });
+    await listen("auth-error", (event) => {
+      this.authErrorCallback?.();
+    });
+    await listen("auth-cancel", (event) => {
+      this.authCancelCallback?.();
+    });
+  }
+
+  onAuthSuccess(callback: (data: AuthData) => void) {
+    this.authSuccessCallback = callback;
+  }
+
+  onAuthError(callback: () => void) {
+    this.authErrorCallback = callback;
+  }
+
+  onAuthCancel(callback: () => void) {
+    this.authCancelCallback = callback;
+  }
+
+  // binding: "POST" | "REDIRECT"
+  async samlLogin(binding: string, request: string) {
+    return invokeCommand("saml_login", { binding, request });
+  }
+
+  emitAuthRequest(authRequest: string) {
+    emit("auth-request", { samlRequest: authRequest });
+  }
+}
+
+export default new AuthService();
diff --git a/gpgui/src/services/portalService.ts b/gpgui/src/services/portalService.ts
index 077b88f..57fb144 100644
--- a/gpgui/src/services/portalService.ts
+++ b/gpgui/src/services/portalService.ts
@@ -1,6 +1,7 @@
 import { Body, ResponseType, fetch } from "@tauri-apps/api/http";
 import { Maybe, MaybeProperties } from "../types";
 import { parseXml } from "../utils/parseXml";
+import authService from "./authService";
 import { Gateway } from "./types";
 
 type SamlPreloginResponse = {
@@ -35,6 +36,9 @@ class PortalService {
 
     const response = await fetch<string>(preloginUrl, {
       method: "GET",
+      headers: {
+        "User-Agent": "PAN GlobalProtect",
+      },
       responseType: ResponseType.Text,
       query: {
         tmp: "tmp",
@@ -55,8 +59,8 @@ class PortalService {
     const doc = parseXml(response);
 
     return {
-      samlAuthMethod: doc.text("saml-auth-method"),
-      samlAuthRequest: doc.text("saml-auth-request"),
+      samlAuthMethod: doc.text("saml-auth-method").toUpperCase(),
+      samlAuthRequest: atob(doc.text("saml-request")),
       labelUsername: doc.text("username-label"),
       labelPassword: doc.text("password-label"),
       authMessage: doc.text("authentication-message"),
diff --git a/gpgui/src/services/vpnService.ts b/gpgui/src/services/vpnService.ts
index 27b3f2f..38a6779 100644
--- a/gpgui/src/services/vpnService.ts
+++ b/gpgui/src/services/vpnService.ts
@@ -1,12 +1,10 @@
-import { invoke } from "@tauri-apps/api";
-import { listen } from "@tauri-apps/api/event";
+import { Event, listen } from "@tauri-apps/api/event";
+import invokeCommand from "../utils/invokeCommand";
 
 type Status = "disconnected" | "connecting" | "connected" | "disconnecting";
 type StatusCallback = (status: Status) => void;
-type StatusEvent = {
-  payload: {
-    status: Status;
-  };
+type StatusPayload = {
+  status: Status;
 };
 
 class VpnService {
@@ -18,7 +16,7 @@ class VpnService {
   }
 
   private async init() {
-    await listen("vpn-status-received", (event: StatusEvent) => {
+    await listen("vpn-status-received", (event: Event<StatusPayload>) => {
       console.log("vpn-status-received", event.payload);
       this.setStatus(event.payload.status);
     });
@@ -35,15 +33,15 @@ class VpnService {
   }
 
   private async status(): Promise<Status> {
-    return this.invokeCommand<Status>("vpn_status");
+    return invokeCommand<Status>("vpn_status");
   }
 
   async connect(server: string, cookie: string) {
-    return this.invokeCommand("vpn_connect", { server, cookie });
+    return invokeCommand("vpn_connect", { server, cookie });
   }
 
   async disconnect() {
-    return this.invokeCommand("vpn_disconnect");
+    return invokeCommand("vpn_disconnect");
   }
 
   onStatusChanged(callback: StatusCallback) {
@@ -59,14 +57,6 @@ class VpnService {
   private removeStatusCallback(callback: StatusCallback) {
     this.statusCallbacks = this.statusCallbacks.filter((cb) => cb !== callback);
   }
-
-  private async invokeCommand<T>(command: string, args?: any) {
-    try {
-      return await invoke<T>(command, args);
-    } catch (err: any) {
-      throw new Error(err.message);
-    }
-  }
 }
 
 export default new VpnService();
diff --git a/gpgui/src/utils/invokeCommand.ts b/gpgui/src/utils/invokeCommand.ts
new file mode 100644
index 0000000..ea9cdb3
--- /dev/null
+++ b/gpgui/src/utils/invokeCommand.ts
@@ -0,0 +1,9 @@
+import { invoke } from "@tauri-apps/api";
+
+export default async function invokeCommand<T>(command: string, args?: any) {
+  try {
+    return await invoke<T>(command, args);
+  } catch (err: any) {
+    throw new Error(err.message);
+  }
+}