SAML2 error: Signature missing for assertion

[mp-strachan]

Hi all, I am trying to deploy this plugin, on top of the netbox-docker image.

I have got the plugin up and running, and I can click the login button (I am using the button during testing, not the proxy rewrite), and that successfully directs to our OneLogin domain. But after a successful authentication, I am directed back to a page (https://ipam.{{mydomain}}.cloud/sso/acs/) displaying the error "You do not have permission to access this page."

configuration.py

# Remote authentication support
REMOTE_AUTH_ENABLED = True
REMOTE_AUTH_BACKEND = 'netbox.authentication.RemoteUserBackend'
REMOTE_AUTH_AUTO_CREATE_USER = True

BANNER_LOGIN = '<a href="/api/plugins/sso/login" class="btn btn-primary btn-block">Login with SSO</a>'

PLUGINS = ["django3_saml2_nbplugin"]

PLUGINS_CONFIG = {
    'django3_saml2_nbplugin': {
        # Use the Netbox default remote backend
        'AUTHENTICATION_BACKEND': REMOTE_AUTH_BACKEND,

        # Custom URL to validate incoming SAML requests against
        'ASSERTION_URL': 'https://ipam.{{mydomain}}.cloud',

        # Populates the Issuer element in authn reques e.g defined as "Audience URI (SP Entity ID)" in SSO
        'ENTITY_ID': 'https://ipam.{{mydomain}}.cloud',

        # Metadata is required, choose either remote url
        'METADATA_AUTO_CONF_URL': "https://app.onelogin.com/saml/metadata/e0edbafc-4444-4735-a98a-43rfg434f4f4",

    }
}

System is behind a Apache reverse proxy.

Apache.conf:

    LoadModule proxy_module modules/mod_proxy.so
    LoadModule proxy_http_module modules/mod_proxy_http.so

<VirtualHost *:80>
    ServerName ipam.{{mydomain}}.cloud
    Redirect permanent / https://ipam.{{mydomain}}.cloud/
</VirtualHost>

<VirtualHost *:443>
    ServerName ipam.{{mydomain}}.cloud

    RemoteIPHeader X-Real-IP
    Header add X-Forwarded-Proto "https"
    RequestHeader add X-Forwarded-Proto "https"

    ProxyRequests Off
    ProxyPreserveHost On
    ProxyVia Off

    ProxyPass '/' 'http://192.168.10.41:8000/'
    ProxyPassReverse '/' 'http://192.168.10.41:8000/'

    SSLEngine on
    SSLCertificateFile /etc/httpd/ssl/ssl.cert
    SSLCertificateKeyFile /etc/httpd/ssl/ssl.key
    SSLCACertificateFile /etc/httpd/ssl/gdig2.crt.pem

    # Disabled for testing
    #<Location /login>
    #    ProxyPass http://192.168.10.41:8000/api/plugins/sso/login/
    #    ProxyPassReverse http://192.168.10.41:8000/api/plugins/sso/login/
    #</Location>

    <Location /sso>
        ProxyPass http://192.168.10.41:8000/api/plugins/sso/
        ProxyPassReverse http://192.168.10.41:8000/api/plugins/sso/
    </Location>

</VirtualHost>

In the docker logs, I see the following errors:

Signature Error: Signature missing for assertion
XML parse error: Signature missing for assertion
SAML2 error: Signature missing for assertion
Forbidden (Permission denied): /api/plugins/sso/acs/
Traceback (most recent call last):
  File "/opt/netbox/venv/lib/python3.9/site-packages/django3_auth_saml2/views.py", line 85, in sso_acs
    authn_response = saml_client.parse_authn_request_response(
  File "/opt/netbox/venv/lib/python3.9/site-packages/saml2/client_base.py", line 811, in parse_authn_request_response
    resp = self._parse_response(
  File "/opt/netbox/venv/lib/python3.9/site-packages/saml2/entity.py", line 1507, in _parse_response
    response.verify(keys)
  File "/opt/netbox/venv/lib/python3.9/site-packages/saml2/response.py", line 1046, in verify
    if self.parse_assertion(keys):
  File "/opt/netbox/venv/lib/python3.9/site-packages/saml2/response.py", line 932, in parse_assertion
    if not self._assertion(assertion, False):
  File "/opt/netbox/venv/lib/python3.9/site-packages/saml2/response.py", line 790, in _assertion
    raise SignatureError("Signature missing for assertion")
saml2.sigver.SignatureError: Signature missing for assertion

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/opt/netbox/venv/lib/python3.9/site-packages/django/core/handlers/exception.py", line 55, in inner
    response = get_response(request)
  File "/opt/netbox/venv/lib/python3.9/site-packages/django/core/handlers/base.py", line 197, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/opt/netbox/venv/lib/python3.9/site-packages/django/views/decorators/csrf.py", line 54, in wrapped_view
    return view_func(*args, **kwargs)
  File "/opt/netbox/venv/lib/python3.9/site-packages/django3_auth_saml2/views.py", line 98, in sso_acs
    raise PermissionDenied(errmsg)
django.core.exceptions.PermissionDenied: SAML2 error: Signature missing for assertion

OneLogin Configuration

Application details

• RelayState: [blank]

• Audience (EntityID): https://ipam.{{mydomain}}.cloud/

• Recipient: [blank]

• ACS (Consumer) URL Validator: https://ipam.{{mydomain}}.cloud/sso/acs/

• ACS (Consumer) URL: https://ipam.{{mydomain}}.cloud/sso/acs/

• Single Logout URL: [blank]

• Login URL: https://ipam.{{mydomain}}.cloud/login

• SAML not valid before: 3min (default)

• SAML not valid on or after: 3min (default)

• SAML initiator: OneLogin (default)

• SAML nameID format: Email (default)

• SAML issuer type: Specific (default)

• SAML signature element: Response (default)

• Encrypt assertion: [unticked] (default)

• SAML encryption method: TRIPLEDES-CDC (default)

• Send NameID Format in SLO Request: [unticked] (default)

• Generate AttributeValue tag for empty values: [unticked] (default)

• SAML sessionNotOnOrAfter: 1440min (default)

• Sign SLO Request: [unticked] (default)

• Sign SLO Response: [unticked] (default)

SSO Configuration

• X.509 Certificate: Standard Strength (2048-bit)
• SAML Signature Algorithm: SHA-256

I've tried a variety of different configurations, but I don't seem to be able to get passed this issue.

Any assistance would be greatly appreciated!!

[mp-strachan]

Resolved this with the following config:

configuration.py

# Remote authentication support
REMOTE_AUTH_ENABLED = True
REMOTE_AUTH_BACKEND = 'django3_saml2_nbplugin.backends.SAML2AttrUserBackend'
REMOTE_AUTH_AUTO_CREATE_USER = True
REMOTE_AUTH_HEADER = 'HTTP_REMOTE_USER'

PLUGINS = ["django3_saml2_nbplugin"]

PLUGINS_CONFIG = {
    'django3_saml2_nbplugin': {
        # Use different Name ID format
        'NAME_ID_FORMAT': 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',

        # Use the Netbox default remote backend
        'AUTHENTICATION_BACKEND': REMOTE_AUTH_BACKEND,

        # Custom URL to validate incoming SAML requests against
        'ASSERTION_URL': 'https://ipam.{{mydomain}}.cloud/',

        # Populates the Issuer element in authn reques e.g defined as "Audience URI (SP Entity ID)" in SSO
        'ENTITY_ID': 'https://ipam.{{mydomain}}.cloud/',

        # Metadata is required, choose either remote url
       'METADATA_AUTO_CONF_URL': "https://app.onelogin.com/saml/metadata/e0edbafc-4444-4735-a98a-43rfg434f4f4",
    }
}

OneLogin

Application details

• Recipient: https://ipam.{{mydomain}}.cloud/
• SAML nameID format: Transient
• SAML signature element: Both
• Sign SLO Request: [ticked]
• Sign SLO Response: [ticked]

Parameters

• NameID Value - Email
• email - Include in assertion - Email
• first_name - Include in assertion - First Name
• last_name - Include in assertion - Last Name
• group - Include in assertion - MemberOf

It's important to pay close attention to trailing slashes!!

All other values were as per above message: https://github.com/jeremyschulman/netbox-plugin-auth-saml2/issues/62#issue-1305608952