search

jeremyschulman / netbox-plugin-auth-saml2

Netbox plugin for SSO using SAML2
120 stars 21 forks source link

Exception "SourceNotFound" when using plugin with Netbox Docker #22

Closed matwei closed 3 years ago

matwei commented 3 years ago

I get this error in the browser when I use the default settings in a Netbox Docker environment after clicking at the login link:

error   "https://mycorp.okta.com/?flkads/sso/saml/metadata"
exception       "SourceNotFound"
netbox_version  "2.9.11"
python_version  "3.8.6"

In the container I have:

netbox-plugin-auth-saml2==2.1
django3-auth-saml2==0.2.0

configuration.py:

REMOTE_AUTH_ENABLED = environ.get('REMOTE_AUTH_ENABLED', 'False').lower() == 'true'
REMOTE_AUTH_BACKEND = environ.get('REMOTE_AUTH_BACKEND', 'netbox.authentication.RemoteUserBackend')
REMOTE_AUTH_AUTO_CREATE_USER = environ.get('REMOTE_AUTH_AUTO_CREATE_USER', 'True').lower() == 'true'

PLUGINS = ['django3_saml2_nbplugin']

PLUGINS_CONFIG = {
    'django3_saml2_nbplugin': {

        # Use the Netbox default remote backend
        'AUTHENTICATION_BACKEND': REMOTE_AUTH_BACKEND,

        # Custom URL to validate incoming SAML requests against
        'ASSERTION_URL': 'https://netbox.company.com',

        # Populates the Issuer element in authn reques e.g defined as "Audience URI (SP Entity ID)" in SSO
        'ENTITY_ID': 'https://netbox.conpany.com/',

        # Metadata is required, choose either remote url
        'METADATA_AUTO_CONF_URL': "https://mycorp.okta.com/app/sadjfalkdsflkads/sso/saml/metadata",
        # or local file path
        # 'METADATA_LOCAL_FILE_PATH': '/opt/netbox/saml2.xml',
    }
}

Environment:

REMOTE_AUTH_AUTO_CREATE_USER=True
REMOTE_AUTH_ENABLED=True
REMOTE_AUTH_BACKEND=netbox.authentication.RemoteUserBackend

I do not know that much about SAML2 and I'm trying to prepare the docker container for some colleagues, so that they can set up authentication via ADFS. I already invested many hours to get all the modules, the additional and the redirection right.

At the moment I'm lost.

jeremyschulman commented 3 years ago

Hi @matwei,

You would need to change the METADATA_AUTO_CONF_URL value to the one that is specific to your SSO system. For reference with Okta, here is a community post: https://support.okta.com/help/s/question/0D51Y00006RYxje/with-okta-admin-changes-how-do-i-find-identity-provider-metadata-url?language=en_US

I am not familiar with ADFS, but I suspect they might have something similar. If not, you could alternatively download the XML data file from ADFS (I would presume support) and use the METADATA_LOCAL_FILE_PATH variable to point to that file on your docker container.

Hope this helps.

matwei commented 3 years ago

I had already setup the plugin with a plain (no Docker) Netbox and there my browser got a redirect to the URL in METADATA_AUTO_CONF_URL.

What confuses me is, that I'm getting an error message instead of the redirect in the Netbox Docker.

matwei commented 3 years ago

Sorry, my fault. I've found out what happened, the problem was due to my poor understanding of SAML2.

When I used the working setup I had been given a correct metadata URL, leading to the ADFS server in our company, from a colleague. At home, when I was reproducing Netbox Docker with the SAML2 plugin, I had only used the sample metadata URL.

Today I captured all traffic of the Netbox Docker instance and saw that it was connecting to the METADATA_AUTO_CONF_URL right after startup and didn't get the metadata.

What wasn't clear to me until today is, that the metadata is not the redirect URL, but the resource used to generate the redirect URL when the browser comes to the login page.