'NoneType' object has no attribute 'require_signature'

[rnikoopour]

Issue

I've been configuring netbox-docker with this plugin. I've managed to get around some of the architectural changes you mentioned in #23.

When visiting the netbox sso login, I'm redirected to my IDP. My IDP then redirects me back to netbox which returns the error below.

I was initially using the pypi distribution of this package. I removed that and installed the plugin from the repo at master. Both versions behaved int he same manner

Error

netbox_1         | Internal Server Error: /api/plugins/sso/acs/
netbox_1         | Traceback (most recent call last):
netbox_1         |   File "/opt/netbox/venv/lib/python3.8/site-packages/django/core/handlers/exception.py", line 47, in inner
netbox_1         |     response = get_response(request)
netbox_1         |   File "/opt/netbox/venv/lib/python3.8/site-packages/django/core/handlers/base.py", line 179, in _get_response
netbox_1         |     response = wrapped_callback(request, *callback_args, **callback_kwargs)
netbox_1         |   File "/opt/netbox/venv/lib/python3.8/site-packages/django/views/decorators/csrf.py", line 54, in wrapped_view
netbox_1         |     return view_func(*args, **kwargs)
netbox_1         |   File "/opt/netbox/venv/lib/python3.8/site-packages/django3_auth_saml2/views.py", line 85, in sso_acs
netbox_1         |     authn_response = saml_client.parse_authn_request_response(
netbox_1         |   File "/opt/netbox/venv/lib/python3.8/site-packages/saml2/client_base.py", line 712, in parse_authn_request_response
netbox_1         |     resp = self._parse_response(xmlstr, AuthnResponse,
netbox_1         |   File "/opt/netbox/venv/lib/python3.8/site-packages/saml2/entity.py", line 1210, in _parse_response
netbox_1         |     response.require_signature = require_signature
netbox_1         | AttributeError: 'NoneType' object has no attribute 'require_signature'

Versions

• Python 3.8.7
• Netbox 2.10.4
• netbox-plugin-auth-saml2@3ea6c2d
• netbox-docker@c80fb19

[jeremyschulman]

@rnikoopour - thank you for the issue report. I believe there have been changes in the 2.10 release that are causing this issue. Meaning this plugin would need to be updated to support the 2.10 changes. I am not currently running 2.10, but I expect to upgrade in the near term.

If you would like to make the attempt to update this plugin for 2.10 I would accept the PR.

[rnikoopour]

If I can find the cycles I'll see what I can do.

Would downgrading to NetBox 2.8 be a viable solution for leveraging your plugin in the interim?

[jeremyschulman]

@rnikoopour - yes, I am using 2.8.5 presently.

[jeremyschulman]

closing this issue due to the lack of 2.10 support. I created #26 if you'd like to subscribe to know when it is supported.

[tomasaberg]

Hi!

For information, I have 2.10.5 and received this issue but I was able to fix it and can now login using Okta.

I deploy Netbox with Ansible, not docker though but it should work similar.

@rnikoopour this is my working config

(Note: I'm fooling around with http only at the moment, I will start using https when I've figured out some things in the deploy process)

configuration.py

# Remote authentication support
REMOTE_AUTH_ENABLED = True
#REMOTE_AUTH_BACKEND = 'utilities.auth_backends.RemoteUserBackend'
REMOTE_AUTH_BACKEND = 'netbox.authentication.RemoteUserBackend'
REMOTE_AUTH_HEADER = 'HTTP_REMOTE_USER'
REMOTE_AUTH_AUTO_CREATE_USER = True
REMOTE_AUTH_DEFAULT_GROUPS = []
REMOTE_AUTH_DEFAULT_PERMISSIONS = {}
[...]
ALLOWED_HOSTS = ['netbox-dev.company.com', '<IP>']

# Enable installed plugins. Add the name of each plugin to the list.
PLUGINS = ['django3_saml2_nbplugin']
PLUGINS_CONFIG = {
    'django3_saml2_nbplugin': {
        # Use the Netbox default remote backend
        'AUTHENTICATION_BACKEND': REMOTE_AUTH_BACKEND,
        # Custom URL to validate incoming SAML requests against
        'ASSERTION_URL': "http://netbox-dev.company.com",
        # Populates the Issuer element in authn reques e.g defined as "Audience URI (SP Entity ID)" in SSO
        'ENTITY_ID': "http://netbox-dev.company.com",
        # Metadata is required, choose either remote url or local file path
        'METADATA_AUTO_CONF_URL': "https://company.okta.com/app/blablabla/sso/saml/metadata"
    }
}

nginx.conf

server {
#    listen 443 ssl;
    listen 80;

    # CHANGE THIS TO YOUR SERVER'S NAME
    server_name "netbox-dev.company.com";

#    ssl_certificate /etc/ssl/certs/netbox.crt;
#    ssl_certificate_key /etc/ssl/private/netbox.key;

    client_max_body_size 25m;

    location /static/ {
        alias /opt/netbox/netbox/static/;
    }

    location / {
        proxy_pass http://127.0.0.1:8001;
        proxy_set_header X-Forwarded-Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    location /login/ {
        proxy_pass "http://netbox-dev.company.com:8001/api/plugins/sso/login/";
    }

    location /sso/ {
        proxy_pass "http://netbox-dev.company.com:8001/api/plugins/sso/";  # Must have a trailing slash to strip the original path
    }
}

#server {
#    # Redirect HTTP traffic to HTTPS
#    listen 80;
#    server_name _;
#    return 301 https://$host$request_uri;
#}

Okta settings

**General**
**Single Sign On URL**
    http://netbox-dev.company.com/sso/acs/
Recipient URL
    http://netbox-dev.company.com/sso/acs/
Destination URL
    http://netbox-dev.company.com/sso/acs/
Audience Restriction
    http://netbox-dev.company.com
Default Relay State
Name ID Format
    Unspecified
Response
    Signed
Assertion Signature
    Signed
Signature Algorithm
    RSA_SHA256
Digest Algorithm
    SHA256
Assertion Encryption
    Unencrypted
SAML Single Logout
    Disabled
authnContextClassRef
    PasswordProtectedTransport
Honor Force Authentication
    Yes
Assertion Inline Hook
    None (disabled)
SAML Issuer ID
    http://www.okta.com/${org.externalKey}

This might not work for you but I'd thought I could give some pointers. What doesnt work for me is the CUSTOM_ATTR_BACKEND (#25 )