search

jeremyschulman / netbox-plugin-auth-saml2

Netbox plugin for SSO using SAML2
120 stars 21 forks source link

Logout issue #12

Closed dwildcash closed 3 years ago

dwildcash commented 3 years ago

Hi,

Everything is working using the 'django3_saml2_nbplugin' with 'netbox.authentication.RemoteUserBackend'. Iam on the latest netbox version.

But here is my problem if user click "logout" I see the request being forwarded to the IdP to logout, but I open netbox again Iam still "logged" until the LOGIN_TIMEOUT is reached and then it ask me to authenticate.

Is there a way to make a clean logout using then SAML plugin?

The length of time (in seconds) for which a user will remain logged into the web UI before being prompted to

re-authenticate. (Default: 1209600 [14 days])

LOGIN_TIMEOUT = 10

jeremyschulman commented 3 years ago

Hi @dwildcash, thank you for your report. When you say that you are still "logged" until LOGIN_TIMEOUT, do you mean that you are still logged in until the LOGIN_TIMEOUT expires?

I am using Netbox 2.8.5, and when I click the logout button I am immediately logged out. Here is my code from the configuration.py file:

if os.environ.get("SAML2_METADATA_URL", ""):
    PLUGINS += ["django3_saml2_nbplugin"]

    REMOTE_AUTH_ENABLED = True
    REMOTE_AUTH_BACKEND = 'django3_saml2_nbplugin.backends.SAML2AttrUserBackend'
    REMOTE_AUTH_AUTO_CREATE_USER = True
    REMOTE_AUTH_DEFAULT_GROUPS = ['read-only']

    PLUGINS_CONFIG["django3_saml2_nbplugin"] = {
        # Use the Netbox default remote backend
        "AUTHENTICATION_BACKEND": REMOTE_AUTH_BACKEND,
        # Metadata is required, choose either remote url or local file path
        "METADATA_AUTO_CONF_URL": os.environ.get("SAML2_METADATA_URL", ""),
        'ENTITY_ID': 'https://<your-netbox-fqdn>',
        'ASSERTION_URL': 'https://<your-netbox-fqdn>'',
    }

I am hoping the above example is helpful.

dwildcash commented 3 years ago

Hi thanks for the reply

Yes my config is very similar to yours but the logout was not working in my case. So I added some code to your plugin Iam catching the "logout" in nginx that I am now forwarding to a new method in plugin "signout"

in urls.py I added a signout

from django.urls import path

from . import views from . import consts

app_name = consts.app_name

urlpatterns = [ path('acs/', views.sso_acs, name=consts.LABEL_SSO_ACS), path('login/', views.signin, name=consts.LABEL_SSO_LOGIN), path('signout/', views.signout, name=consts.LABEL_SSO_SIGNOUT) ]

and in the view. Iam calling the logout(req)

def signout(req: WSGIRequest) -> HttpResponseRedirect: logout(req) return HttpResponseRedirect("https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0")

Iam redirecting to the Azure AD logout.

jeremyschulman commented 3 years ago

@dwildcash - Great progress, thank you for the update. From you comment, should I understand that we could close this issue?

jeremyschulman commented 3 years ago

closing this issue as no response since oct22. we can always re-open if necessary.