search

jeremyschulman / netbox-plugin-auth-saml2

Netbox plugin for SSO using SAML2
120 stars 21 forks source link

CSRF Cookie Not Set #14

Closed nniehoff closed 3 years ago

nniehoff commented 3 years ago

I am using NetBox 2.8.6 (I have also tried 2.8.9) and I receive a 403 CSRF Cookie not set error. This could very well be something I am missing in the Okta setup, I'm not an Okta expert. From the logs the error is:

20:01:56 INFO HTTP REDIRECT - saml2.entity - entity - /opt/venv/lib/python3.7/site-packages/saml2/entity.py:227
[pid: 22|app: 0|req: 43/138] 172.24.0.1 () {56 vars in 1176 bytes} [Mon Dec  7 20:01:55 2020] GET /api/plugins/sso/login/?next=/ => generated 0 bytes in 805 msecs (HTTP/1.1 302) 7 headers in 819 bytes (1 switches on core 0)
Forbidden (CSRF cookie not set.): /
20:01:56 WARNING Forbidden (CSRF cookie not set.): / - django.security.csrf - log - /opt/venv/lib/python3.7/site-packages/django/utils/log.py:228

I'm hoping you can provide some guidance here. It looks like the authentication piece happens fine it's when I get redirected back to my NetBox that I receive this error.

nniehoff commented 3 years ago

I'm getting further setting the Okta SSO URL to /sso/acs/ gets me to the next exception:

Traceback (most recent call last):
  File "/opt/venv/lib/python3.7/site-packages/django/core/handlers/exception.py", line 34, in inner
    response = get_response(request)
  File "/opt/venv/lib/python3.7/site-packages/django/core/handlers/base.py", line 115, in _get_response
    response = self.process_exception_by_middleware(e, request)
  File "/opt/venv/lib/python3.7/site-packages/django/core/handlers/base.py", line 113, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/opt/venv/lib/python3.7/site-packages/django/views/decorators/csrf.py", line 54, in wrapped_view
    return view_func(*args, **kwargs)
  File "/opt/venv/lib/python3.7/site-packages/django3_auth_saml2/views.py", line 87, in sso_acs
    binding=entity.BINDING_HTTP_POST
  File "/opt/venv/lib/python3.7/site-packages/saml2/client_base.py", line 714, in parse_authn_request_response
    binding, **kwargs)
  File "/opt/venv/lib/python3.7/site-packages/saml2/entity.py", line 1207, in _parse_response
    response.require_signature = require_signature

Exception Type: AttributeError at /api/plugins/sso/acs/
Exception Value: 'NoneType' object has no attribute 'require_signature'

I'm convinced I am missing something in my Okta configuration

nniehoff commented 3 years ago

I figured it out, hopefully documenting here for public info:

The SSO URL should be: /sso/acs/ Recipient URL should be: / Destination URL should be: /sso/acs/ Audience Restriction should be: /

jeremyschulman commented 3 years ago

@nniehoff - nice job working through the issues. I also am not the Okta admin, and I do recall working with them to tweak the settings until we got it working. Thank you for documenting the solution for others!