search

jeremyschulman / netbox-plugin-auth-saml2

Netbox plugin for SSO using SAML2
120 stars 21 forks source link

Exception at /api/plugins/sso/acs/ Not for me!!! #10

Closed esapozhnikov-wish closed 4 years ago

esapozhnikov-wish commented 4 years ago

I am getting the following exception when attempting to log in using OKta on Netbox 2.8.5:


Request Method: POST
Request URL: http://netbox-dev.i.wish.com:8001/api/plugins/sso/acs/

Django Version: 3.0.9
Python Version: 3.6.8
Installed Applications:
['django.contrib.admin',
 'django.contrib.auth',
 'django.contrib.contenttypes',
 'django.contrib.sessions',
 'django.contrib.messages',
 'django.contrib.staticfiles',
 'django.contrib.humanize',
 'cacheops',
 'corsheaders',
 'debug_toolbar',
 'django_filters',
 'django_tables2',
 'django_prometheus',
 'mptt',
 'rest_framework',
 'taggit',
 'taggit_serializer',
 'timezone_field',
 'circuits',
 'dcim',
 'ipam',
 'extras',
 'secrets',
 'tenancy',
 'users',
 'utilities',
 'virtualization',
 'django_rq',
 'drf_yasg',
 'django3_saml2_nbplugin.Django3AuthSAML2Plugin']
Installed Middleware:
['debug_toolbar.middleware.DebugToolbarMiddleware',
 'django_prometheus.middleware.PrometheusBeforeMiddleware',
 'corsheaders.middleware.CorsMiddleware',
 'django.contrib.sessions.middleware.SessionMiddleware',
 'django.middleware.common.CommonMiddleware',
 'django.middleware.csrf.CsrfViewMiddleware',
 'django.contrib.auth.middleware.AuthenticationMiddleware',
 'django.contrib.messages.middleware.MessageMiddleware',
 'django.middleware.clickjacking.XFrameOptionsMiddleware',
 'django.middleware.security.SecurityMiddleware',
 'utilities.middleware.ExceptionHandlingMiddleware',
 'utilities.middleware.RemoteUserMiddleware',
 'utilities.middleware.LoginRequiredMiddleware',
 'utilities.middleware.APIVersionMiddleware',
 'extras.middleware.ObjectChangeMiddleware',
 'django_prometheus.middleware.PrometheusAfterMiddleware']

Traceback (most recent call last):
  File "/opt/netbox-2.8.5/venv/lib/python3.6/site-packages/django/core/handlers/exception.py", line 34, in inner
    response = get_response(request)
  File "/opt/netbox-2.8.5/venv/lib/python3.6/site-packages/django/core/handlers/base.py", line 115, in _get_response
    response = self.process_exception_by_middleware(e, request)
  File "/opt/netbox-2.8.5/venv/lib/python3.6/site-packages/django/core/handlers/base.py", line 113, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/opt/netbox-2.8.5/venv/lib/python3.6/site-packages/django/views/decorators/csrf.py", line 54, in wrapped_view
    return view_func(*args, **kwargs)
  File "/opt/netbox-2.8.5/venv/lib/python3.6/site-packages/django3_auth_saml2/views.py", line 87, in sso_acs
    binding=entity.BINDING_HTTP_POST
  File "/opt/netbox-2.8.5/venv/lib/python3.6/site-packages/saml2/client_base.py", line 714, in parse_authn_request_response
    binding, **kwargs)
  File "/opt/netbox-2.8.5/venv/lib/python3.6/site-packages/saml2/entity.py", line 1196, in _parse_response
    response = response.verify(keys)
  File "/opt/netbox-2.8.5/venv/lib/python3.6/site-packages/saml2/response.py", line 1051, in verify
    if self.parse_assertion(keys):
  File "/opt/netbox-2.8.5/venv/lib/python3.6/site-packages/saml2/response.py", line 937, in parse_assertion
    if not self._assertion(assertion, False):
  File "/opt/netbox-2.8.5/venv/lib/python3.6/site-packages/saml2/response.py", line 817, in _assertion
    if not self.condition_ok():
  File "/opt/netbox-2.8.5/venv/lib/python3.6/site-packages/saml2/response.py", line 616, in condition_ok
    raise Exception("Not for me!!!")

Exception Type: Exception at /api/plugins/sso/acs/
Exception Value: Not for me!!!

My Ngnix config

    listen 80;
    server_name 10.10.2.76;
    client_max_body_size 25m;
    listen 443 ssl;
    ssl_certificate /etc/nginx/ssl/nginx.crt;
    ssl_certificate_key /etc/nginx/ssl/nginx.key;
    location /static/ {
        alias /opt/netbox/netbox/static/;
    }

    location / {
        proxy_pass http://netbox-dev.i.wish.com:8001;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        add_header P3P 'CP="ALL DSP COR PSAa PSDa OUR NOR ONL UNI COM NAV"';
    }

    location /login/ {
        proxy_pass http://netbox-dev.i.wish.com:8001/api/plugins/sso/login/;
    }

    location /sso/ {
        proxy_pass http://netbox-dev.i.wish.com:8001/api/plugins/sso/;  # Must have a trailing slash to strip the original path
    }
}

And configuration.py


REMOTE_AUTH_ENABLED = True
REMOTE_AUTH_BACKEND = 'django3_saml2_nbplugin.backends.SAML2AttrUserBackend'
REMOTE_AUTH_AUTO_CREATE_USER = True

PLUGINS = ['django3_saml2_nbplugin']

PLUGINS_CONFIG = {
    'django3_saml2_nbplugin': {

        # Use the Netbox default remote backend
        'AUTHENTICATION_BACKEND': REMOTE_AUTH_BACKEND,

        # Custom URL to validate incoming SAML requests against
        'ASSERTION_URL': 'http://netbox-dev.i.wish.com',

        # Populates the Issuer element in authn reques e.g defined as "Audience URI (SP Entity ID)" in SSO
        'ENTITY_ID': 'http://netbox-dev.i.wish.com/',

        # Metadata is required, choose either remote url or local file path
        'METADATA_AUTO_CONF_URL': "https://wishid.okta.com/app/exk53381qvewNFjX0357/sso/saml/metadata"
    }
}
pixelrebel commented 3 years ago

@esapozhnikov I'm hitting this same error. What was your fix?

qxmips commented 2 years ago

Wonder if anybody tried to use the module on k8s with the helm chart. can't come up with the right annotations for nginx ingress to simulate this block:

    location /sso/ {
        proxy_pass http://netbox-dev.i.wish.com:8001/api/plugins/sso/;  # Must have a trailing slash to strip the original path
    }