gpsaml-bastion

SAML-aware GlobalProtect proxy. Browser extension drives the SAML, bastion runs openconnect inside a per-user netns, you get corp-internal reachability through plain ssh -L.

What this is

You authenticate with corp SSO once in your browser. The extension captures the GlobalProtect cookie and hands it to this bastion, which spins up an isolated openconnect tunnel and gives you back a one-shot .command file. Double-click and your laptop reaches the corp-internal services you registered (bitbucket, etc.) at their normal URLs — no VPN client running on your laptop.

1. Install the extension

Download extension.zip
  1. Unzip somewhere stable (it has to stay on disk for Chrome to load it).
  2. Open chrome://extensions.
  3. Toggle Developer mode on (top right).
  4. Click Load unpacked and pick the unzipped folder.
  5. Pin the extension to your toolbar.

2. Connect

  1. Click the extension icon, hit Authenticate via SAML.
  2. Sign in to corp SSO in the new tab. The tab closes itself when done.
  3. Chrome downloads a .command file to your Downloads folder.
  4. Right-click → Open (Gatekeeper warns the first time). Type your sudo password.
  5. Terminal stays foreground. Browse the registered hosts at their normal URLs. Ctrl+C to disconnect.

Default forwards

Shipped in the popup; add / remove from there.

bitbucket.rks-cloud.com:443    Bitbucket web UI
bitbucket.rks-cloud.com:7999   Git push / pull over SSH

Manual mode (no sudo)

If your laptop user can't sudo, the popup also shows a copy-pasteable ssh -L command using high local ports — access services at https://bitbucket.rks-cloud.com:8443/ etc. Cert validates because the hostname matches.