Plugin URLS not exposed

[weavel]

Hi,

I'm trying to integrate netbox with this plugin into SSO with Azure Active Directory however I'm running into some issues (aside from some corrections in the documentation). I'm on Netbox V2.10.6, django3-auth-saml2 0.2.0 and netbox-plugin-auth-saml2 2.3 for what I believe were the most recent versions.

Netbox returns 404 on the urls /plugins/sso/login/ or /sso/acs/ (the last one is to be expected as the Netbox docs state that no plugin can register URL's outside of the /plugins directory, correct me if I'm wrong).

It initiates the SP login if I call /api/plugins/sso/login however Azure returns the SAML-ticket to /sso/acs/ which returns 404. I tried changing the reply URL inside Azure to /api/plugins/sso/acs/ but the SAML-request sent from Netbox to Azure contains the original path for the ACS so Azure cannot validate it.

Here's my config (a bit redacted, all strings were valid):

# Enable installed plugins. Add the name of each plugin to the list.
PLUGINS = ['django3_saml2_nbplugin']

# Remote authentication support
REMOTE_AUTH_ENABLED = True
REMOTE_AUTH_BACKEND = 'netbox.authentication.RemoteUserBackend'
REMOTE_AUTH_HEADER = 'HTTP_REMOTE_USER'
REMOTE_AUTH_AUTO_CREATE_USER = True
REMOTE_AUTH_DEFAULT_GROUPS = []
REMOTE_AUTH_DEFAULT_PERMISSIONS = {}

PLUGINS_CONFIG = {
    'django3_saml2_nbplugin': {

        # Use the Netbox default remote backend
        'AUTHENTICATION_BACKEND': REMOTE_AUTH_BACKEND,

        # Custom URL to validate incoming SAML requests against
        'ASSERTION_URL': 'https://netbox.services.<redacted>.nl',

        # Populates the Issuer element in authn reques e.g defined as "Audience URI (SP Entity ID)" in SSO
        'ENTITY_ID': 'https://netbox.services.<redacted>.nl',

        # Metadata is required, choose either remote url
        'METADATA_AUTO_CONF_URL': "<redacted>",

        # Settings for SAML2CustomAttrUserBackend. Optional.
        'CUSTOM_ATTR_BACKEND': {
            # Attribute containing the username. Optional.
            'USERNAME_ATTR': 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress',
            # Attribute containing the user's email. Optional.
            'MAIL_ATTR': 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress',
            # Attribute containing the user's first name. Optional.
            'FIRST_NAME_ATTR': 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname',
            # Attribute containing the user's last name. Optional.
            'LAST_NAME_ATTR': 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname',
            # Set to True to always update the user on logon
            # from SAML attributes on logon. Defaults to False.
            'ALWAYS_UPDATE_USER': False,
            ## Attribute that contains groups. Optional.
            #'GROUP_ATTR': 'http://schemas.microsoft.com/ws/2008/06/identity/claims/groups',
            ## Dict of user flags to groups.
            ## If the user is in the group then the flag will be set to True. Optional.
            #'FLAGS_BY_GROUP': {
            #    'is_staff': 'saml-group1',
            #    'is_superuser': 'saml-group2'
            #},
            ## Dict of SAML groups to NetBox groups. Optional.
            ## Groups must be created beforehand in NetBox.
            #'GROUP_MAPPINGS': {
            #    'saml-group3': 'netbox-group'
            #}
        }
    }
}

Note that for netbox V2.10 the REMOTE_AUTH_BACKEND string was changed to netbox.authentication.RemoteUserBackend contrary to what is says in README.MD. I'd be happy to do a pull request on that and write up a short guide on integrating into Azure in return. Also maybe we could mention that it's important to place the config block after the REMOTE_AUTH section as it caused me a bit of a headache ;-)

Thanks!

[jeremyschulman]

Hiya @weavel - did you happen to look at the sample nginx.conf file in the root directory? This shows how to map the URL endpoints in the manner I described. Hope this helps.

https://github.com/jeremyschulman/netbox-plugin-auth-saml2/blob/main/nginx.conf#L35

[weavel]

Hi! You are right, I did skip over that part, my fault entirely. I'll go ahead and close this. Thanks!

[weavel]

NB. I'd still be happy to write up that guide for AAD...

[pettcomputers]

NB. I'd still be happy to write up that guide for AAD...

Weavel, I'm not sure if this happened, but I'd be interested in seeing a guide for AAD. I've been asked to move from LDAP in Netbox to SSO.

[weavel]

Sure, I can probably make time for it this weekend. It’s not really difficult if you’ve integrated with SAML through AAD before. I’ve never had the groups portion really functional through AAD so I need to have a look. Probably because AAD passes the groupID as its identifier.

I’ll see if I can write-up a PR.

[pettcomputers]

Sure, I can probably make time for it this weekend. It’s not really difficult if you’ve integrated with SAML through AAD before. I’ve never had the groups portion really functional through AAD so I need to have a look. Probably because AAD passes the groupID as its identifier.

I’ll see if I can write-up a PR.

Awesome, I'd really appreciate it! Thank you again.

[pettcomputers]

@weavel Just following up and wanted to see if you had a chance to work on this any. Thanks!

[weavel]

Hi @pettcomputers, I’ve written up a concept of my guide. I’m not sure if I pushed this to my fork yet. I’ll look into pushing tomorrow so you can take a look at it.

Op do 10 jun. 2021 om 18:34 schreef pettcomputers @.***>

@weavel https://github.com/weavel Just following up and wanted to see if you had a chance to work on this any. Thanks!

— You are receiving this because you were mentioned.

Reply to this email directly, view it on GitHub https://github.com/jeremyschulman/netbox-plugin-auth-saml2/issues/31#issuecomment-858771581, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABCDYJWDW2FP4ENGKFIRNPLTSDSSVANCNFSM4Z6H3WIQ .

-- Met vriendelijke groet,

Rik van Tuijl

[pettcomputers]

Thanks, I appreciate it!

[weavel]

@pettcomputers See my draft here: https://github.com/weavel/netbox-plugin-auth-saml2/blob/50569514e179684c166dd00d51f91208a4e95196/AAD_Config.md

Perhaps I'll make time to finish this in the coming week.

[pettcomputers]

Thanks for this . I'm making some progress, I've got the Azure side setup and I have the plugin configured and the nginx rewrite for the sso/acs, i'm using the html button to get me the login with sso so I will keep local logins.

When I click login with sso, it takes me to MS and that auth completes and then takes me back to Netbox now with {"error": "SAML2: missing response", "exception": "PermissionDenied", "netbox_version": "2.10.3", "python_version": "3.6.5"} I checked the groups on the Netbox side, and I have one created called staff and it matches the one I created on the Azure side. Here are some snippets of my configuration.

Nginx section:

location /sso/acs/ { proxy_pass http://netboxdev.mysite.com/api/plugins/sso/acs/; }

Relevant Netbox config

Remote authentication support REMOTE_AUTH_ENABLED = True

REMOTE_AUTH_BACKEND = 'netbox.authentication.RemoteUserBackend' REMOTE_AUTH_HEADER = 'HTTP_REMOTE_USER' REMOTE_AUTH_AUTO_CREATE_USER = True REMOTE_AUTH_DEFAULT_GROUPS = [] REMOTE_AUTH_DEFAULT_PERMISSIONS = {}

Enable installed plugins. Add the name of each plugin to the list.

PLUGINS = ['django3_saml2_nbplugin']

Plugins Config

PLUGINS_CONFIG = { 'django3_saml2_nbplugin': { # Use the Netbox default remote backend 'AUTHENTICATION_BACKEND': REMOTE_AUTH_BACKEND, # Custom URL to validate incoming SAML requests against 'ASSERTION_URL': ' https://netboxdev.mysite.com', # Populates the Issuer element in authn request e.g defined as "Audience URI (SP Entity ID)" in SSO 'ENTITY_ID': ' https://netboxdev.mysite.com/', # Metadata is required, choose either remote url 'METADATA_AUTO_CONF_URL': "redacted, # Settings for SAML2CustomAttrUserBackend. Optional. 'CUSTOM_ATTR_BACKEND': { # Attribute containing the username. Optional. 'USERNAME_ATTR': ' http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress', # Attribute containing the user's email. Optional. 'MAIL_ATTR': ' http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress', # Attribute containing the user's first name. Optional. 'FIRST_NAME_ATTR': ' http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname', # Attribute containing the user's last name. Optional. 'LAST_NAME_ATTR': ' http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname', # Set to True to always update the user on logon # from SAML attributes on logon. Defaults to False. 'ALWAYS_UPDATE_USER': True, ## Attribute that contains groups. Optional. 'GROUP_ATTR': ' http://schemas.microsoft.com/ws/2008/06/identity/claims/groups', ## Dict of user flags to groups. ## If the user is in the group then the flag will be set to True. Optional. 'FLAGS_BY_GROUP': { 'is_staff': 'Staff', 'is_superuser': 'Datacenter Engineers' }, ## Dict of SAML groups to NetBox groups. Optional. ## Groups must be created beforehand in NetBox. 'GROUP_MAPPINGS': { '99fad61e-bfc3-4720-9982-a1f07e0831c1': 'staff' } }

On Fri, Jun 11, 2021 at 10:14 AM Rik van T @.***> wrote:

@pettcomputers https://github.com/pettcomputers See my draft here: https://github.com/weavel/netbox-plugin-auth-saml2/blob/50569514e179684c166dd00d51f91208a4e95196/AAD_Config.md

Perhaps I'll make time to finish this in the coming week.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/jeremyschulman/netbox-plugin-auth-saml2/issues/31#issuecomment-859652251, or unsubscribe https://github.com/notifications/unsubscribe-auth/AE5ZP2JIGTK5YBYNH7WUOULTSIR6FANCNFSM4Z6H3WIQ .