SAML sync doesn't assign status

[F3d0s]

Fairly new to netbox and django3_saml2_nbplugin I've got SAML working, however, when a specific account is in netbox-operator group first and then is assigned to netbox-admins, the status Staff status and Superuser status does not set automatically when synched.

On my Test account, I removed the Azure groups netbox-operator and netbox-admins,also removed the (Test) account in NetBox Administration -> Users, and re-add the account to the Azure groups.

After logging back in to Netbox via SSO with my Test account, the netbox-admins Azure group should apply Staff status and Superuser status to the account, but this did not happen. The account appears to be Active but haven't any Status nor Groups assigned.

Does anyone have any clue about why this is happening and why?

[jclbc]

hello, could you share your configuration file?

[F3d0s]

hello, could you share your configuration file?

Hi,

Sure, this is the plugin configuration:

# Remote authentication support
REMOTE_AUTH_ENABLED = True
#REMOTE_AUTH_BACKEND = 'netbox.authentication.RemoteUserBackend'
REMOTE_AUTH_BACKEND = 'django3_saml2_nbplugin.backends.SAML2CustomAttrUserBackend'
REMOTE_AUTH_HEADER = 'HTTP_REMOTE_USER'
REMOTE_AUTH_AUTO_CREATE_USER = True
REMOTE_AUTH_DEFAULT_GROUPS = []
REMOTE_AUTH_DEFAULT_PERMISSIONS = {}

# Enable installed plugins. Add the name of each plugin to the list.
PLUGINS = ['django3_saml2_nbplugin']
#PLUGINS = []

# Plugins configuration settings. These settings are used by various plugins that the user may have installed.
# Each key in the dictionary is the name of an installed plugin and its value is a dictionary of settings.
PLUGINS_CONFIG = {
    'django3_saml2_nbplugin': {

        'AUTHENTICATION_BACKEND': REMOTE_AUTH_BACKEND,
        'ASSERTION_URL': 'https://dcimtest.server.cloud/api/plugins',
        'ENTITY_ID': 'https://dcimtest.server.cloud/',

        # Metadata is required, choose either remote url
        'METADATA_AUTO_CONF_URL': "https://login.microsoftonline.com/6d3fc077-0dff-####-####-44341fb2f###/federationmetadata/2007-06/federationmetadata.xml?appid=94b90929-####-497a-####-229cc###263b",
        # or local file path
        # 'METADATA_LOCAL_FILE_PATH': '/opt/netbox/DCIM.xml',

        # Settings for SAML2CustomAttrUserBackend. Optional.
        'CUSTOM_ATTR_BACKEND': {
            # Attribute containing the username. Optional.
            "USERNAME_ATTR": "name",
            # Attribute containing the user's email. Optional.
            "MAIL_ATTR": "emailAddress",
            # Attribute containing the user's first name. Optional.
            "FIRST_NAME_ATTR": "givenName",
            # Attribute containing the user's last name. Optional.
            "LAST_NAME_ATTR": "surname",
            # Set to True to always update the user on logon
            # from SAML attributes on logon. Defaults to False.
            'ALWAYS_UPDATE_USER': True,
            # Attribute that contains groups. Optional.
            #'GROUP_ATTR': 'http://schemas.microsoft.com/ws/2008/06/identity/claims/groups',
            # Dict of user flags to groups.
            # If the user is in the group then the flag will be set to True. Optional.
            'FLAGS_BY_GROUP': {
                'is_staff': 'dff13f8f-2167-####-bd7e-6a17574cc###', # sec-access-DCIM-operator group
                'is_superuser': 'c273533e-####-4dc7-98d3-09841d1eb###' # sec-access-DCIM-admins group
            },
            # Dict of SAML groups to NetBox groups. Optional.
            # Groups must be created beforehand in NetBox.
            'GROUP_MAPPINGS': {
                'd51a17ec-####-####-####-c9696a30efbf': 'DCIM-readonly',
                'dff13f8f-####-####-####-6a17574cce00': 'DCIM-operator',
                '0a310d41-####-####-####-d0c3a656ed5c': 'DCIM-tenant-admins',
                '5fafd340-####-####-####-2d2a9655141a': 'DCIM-SOC'
            }
        }
    }
}