[Question] User not mapped to a group

[tomasaberg]

Hi!

I'm trying to configure the plugin to work with Okta. When a user login they're not assigned to a group so I bet something is odd with the mapping.

The Groups exists in Netbox

configuration.py

# Enable installed plugins. Add the name of each plugin to the list.
PLUGINS = ['django3_saml2_nbplugin']
PLUGINS_CONFIG = {
    'django3_saml2_nbplugin': {
        # Use the Netbox default remote backend
        'AUTHENTICATION_BACKEND': REMOTE_AUTH_BACKEND,
        # Custom URL to validate incoming SAML requests against
        'ASSERTION_URL': "{{ okta_assertion_url }}",
        # Populates the Issuer element in authn reques e.g defined as "Audience URI (SP Entity ID)" in SSO
        'ENTITY_ID': "{{ okta_entity_id }}",
        # Metadata is required, choose either remote url or local file path
        'METADATA_AUTO_CONF_URL': "{{ okta_metadata_url }}",

        # Settings for SAML2CustomAttrUserBackend. Optional.
        'CUSTOM_ATTR_BACKEND': {
            # Attribute containing the username. Optional.
            'USERNAME_ATTR': 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress',
            # Attribute containing the user's email. Optional.
             'MAIL_ATTR': 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress',
            # Attribute containing the user's first name. Optional.
             'FIRST_NAME_ATTR': 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname',
            # Attribute containing the user's last name. Optional.
            'LAST_NAME_ATTR': 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname',
            # Set to True to always update the user on logon
            # from SAML attributes on logon. Defaults to False.
            'ALWAYS_UPDATE_USER': True,
            # Attribute that contains groups. Optional.
            'GROUP_ATTR': 'http://schemas.microsoft.com/ws/2008/06/identity/claims/groups',
            # Dict of user flags to groups.
            # If the user is in the group then the flag will be set to True. Optional.
            #'FLAGS_BY_GROUP': {
            #    'is_staff': 'dynamic.service.operations.netbox.reader',
            #    'is_superuser': 'dynamic.service.operations.netbox.admin'
             #},
            # Dict of SAML groups to NetBox groups. Optional.
            # Groups must be created beforehand in NetBox.
            'GROUP_MAPPINGS': {
                #'saml-group': 'netbox-group'
                'dynamic.service.okta.netbox.admin':'dynamic.service.operations.netbox.admin',
                'dynamic.service.okta.netbox.reader':'dynamic.service.operations.netbox.reader'
            }
        }
    }
}

SAML Settings in Okta

local_requirements.txt

psycopg2==2.8.6
django-storages==1.11.1
django3-auth-saml2==0.2.0
netbox-plugin-auth-saml2==2.3

One thing I find odd is that Netbox lists this plugin as version 2.0, is that expected?

Edit 2021-06-16: I've updated this post with our working config.

If I would do this again I wouldn't use the URLs as identified but now it works and I don't feel like changing it right now :). If you're using our config it's important that the attribute statement in Okta is set to URI.

[sota0113]

+1. I am facing same problem.

[tomasaberg]

+1. I am facing same problem.

Is your configuration similar to mine?

[sota0113]

Almost same. Metadata is configured with xml file and group attribute filter on Okta is configured with regex ".*" in my environment.

[tomasaberg]

Almost same. Metadata is configured with xml file and group attribute filter on Okta is configured with regex ".*" in my environment.

We got it to work by changing REMOTE_AUTH_BACKEND = django3_saml2_nbplugin.backends.SAML2CustomAttrUserBackend

We also changed to use the predefined values in the config example

[sota0113]

@tomasaberg It works for me, too.

REMOTE_AUTH_BACKEND = django3_saml2_nbplugin.backends.SAML2CustomAttrUserBackend

But still struggling to get groups. My Okta config works for Jenkins SAML, but not for Netbox SAML. Anyway, thank you for sharing workaround.

[tomasaberg]

The config i shared maps the groups for me. just to make sure, you have created the groups in Netbox, right?

I upgraded to Netbox 2.11.0

[sota0113]

Oh yes, my bad. I have not created any groups on Netbox, and now it is working! Thank you for everything!

[tdrevvatne]

Had same issues - this solves everything...... Change From: REMOTE_AUTH_BACKEND = 'netbox.authentication.RemoteUserBackend' To: REMOTE_AUTH_BACKEND = django3_saml2_nbplugin.backends.SAML2CustomAttrUserBackend

[pentiumoverdrive]

Phew, thanks REMOTE_AUTH_BACKEND = django3_saml2_nbplugin.backends.SAML2CustomAttrUserBackend made stuff work for me better as well (using Azure AD) :)

[rajandtonic]

@pentiumoverdrive would you be able to provide your working config files (redacted ofc) for Azure AD? Trying to set up an instance on my end and running into a "Not for me" error with both remote auth backends - wanted to sanity check my configuration. Cheers

[pentiumoverdrive]

@pentiumoverdrive would you be able to provide your working config files (redacted ofc) for Azure AD? Trying to set up an instance on my end and running into a "Not for me" error with both remote auth backends - wanted to sanity check my configuration. Cheers

I had to create an nginx container to put in front of netbox using the config from this repo, otherwise the login through Azure Enterprise App with app proxy go bananas. I could not add these re-directs from azure application proxy.

I put all my conf in extra.py, this is the azure ad sso mapping I use from the end of the config:

REMOTE_AUTH_ENABLED = True
REMOTE_AUTH_BACKEND = 'django3_saml2_nbplugin.backends.SAML2CustomAttrUserBackend'
REMOTE_AUTH_AUTO_CREATE_USER = True

PLUGINS = ['django3_saml2_nbplugin']

PLUGINS_CONFIG = {
    'django3_saml2_nbplugin': {

        'AUTHENTICATION_BACKEND': REMOTE_AUTH_BACKEND,
        'ASSERTION_URL': 'https://ipam.myevilmegacorp.org',
        'ENTITY_ID': 'https://ipam.myevilmegacorp.org',

        'METADATA_AUTO_CONF_URL': "https://login.microsoftonline.com/<tenantid>/federationmetadata/2007-06/federationmetadata.xml?appid=<some_app_id>",

        'CUSTOM_ATTR_BACKEND': {
            'USERNAME_ATTR': 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress',
            'MAIL_ATTR': 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress',        
            'FIRST_NAME_ATTR': 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname',  
            'LAST_NAME_ATTR': 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname',
            'ALWAYS_UPDATE_USER': True,
            'GROUP_ATTR': 'http://schemas.microsoft.com/ws/2008/06/identity/claims/groups',
            'FLAGS_BY_GROUP': {
                'is_staff': 'e4f4f130-uuid-stuff-format-here-from-azure-ad-group',
                'is_superuser': 'e4f4f110-uuid-stuff-format-here-from-azure-ad-group'
            },
            'GROUP_MAPPINGS': {
                'a4f4f110-uuid-stuff-format-here-from-azure-ad-group': 'ReadOnly-group-created-inside-netbox'
            }
        }
    }
}

[rajandtonic]

Thanks very much for that - have got it all working now with groups being properly assigned. Just superuser access left but will monkey around with that later!

Edit: Got that working too - turns out is_staff needs to be set as well as is_superuser for the ID you want to elevate in the flags by group for you to be able to access superuser level perms

[jeremyschulman]

I believe it is safe to close this issue as I believe folks have gotten assistance from the community and have a working system. Marking this to close in next 60 days.