jeremyschulman / netbox-plugin-auth-saml2

Netbox plugin for SSO using SAML2
119 stars 23 forks source link

ADFS: fail to find attributs ('NoneType' object has no attribute 'text') #67

Open jclbc opened 1 year ago

jclbc commented 1 year ago

Hello, I'm runing Netbox v3.4.1 (could you please confirm this version is ok?)

ADFS authentication fails with this error:

AttributeError at /api/plugins/sso/acs/ 'NoneType' object has no attribute 'text' Request Method: POST Request URL: https://netbox.mycompany.local/api/plugins/sso/acs/ Django Version: 4.1.4 Exception Type: AttributeError Exception Value:
'NoneType' object has no attribute 'text' Exception Location: /opt/netbox-3.4.1/venv/lib/python3.8/site-packages/django3_auth_saml2/views.py, line 106, in sso_acs Raised during: django3_auth_saml2.views.sso_acs Python Executable: /opt/netbox-3.4.1/venv/bin/python3 Python Version: 3.8.10 Python Path:
['/opt/netbox/netbox', '/opt/netbox-3.4.1', '/opt/netbox-3.4.1/venv/bin', '/usr/lib/python38.zip', '/usr/lib/python3.8', '/usr/lib/python3.8/lib-dynload', '/opt/netbox-3.4.1/venv/lib/python3.8/site-packages'] Server time: Thu, 02 Mar 2023 09:57:13 +0000

authn_response.parse_assertion() user_name = authn_response.name_id.text

It's look like it fails to parse saml response to find "name_id

here the SAML response (from ADFS debug):

{Subject}{SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"}{SubjectConfirmationData InResponseTo="id-H9j3h0AzzPt4XZHje" NotOnOrAfter="2023-02-24T15:30:48.629Z" Recipient="https://netbox.mycompany.local/sso/acs/" /}{/SubjectConfirmation}{/Subject} {Conditions NotBefore="2023-02-24T15:25:48.613Z" NotOnOrAfter="2023-02-24T16:25:48.613Z"} {AudienceRestriction}{Audience}https://netbox.mycompany.local/{/Audience}{/AudienceRestriction}{/Conditions} {AttributeStatement} {Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"}{AttributeValue}adm-jdoe@mycompany.fr{/AttributeValue}{/Attribute} {Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"}{AttributeValue}Julien{/AttributeValue}{/Attribute} {Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"}{AttributeValue}doe{/AttributeValue}{/Attribute} {Attribute Name="http://schemas.xmlsoap.org/claims/Group"} {AttributeValue}Utilisa. du domaine{/AttributeValue} {AttributeValue}G-NETBOX-ADM{/AttributeValue} {/Attribute}{/AttributeStatement}

my config file:

PLUGINS = ['django3_saml2_nbplugin'] REMOTE_AUTH_BACKEND = 'netbox.authentication.RemoteUserBackend' or (same result) REMOTE_AUTH_BACKEND = 'django3_saml2_nbplugin.backends.SAML2CustomAttrUserBackend'

REMOTE_AUTH_HEADER = 'HTTP_REMOTE_USER' REMOTE_AUTH_AUTO_CREATE_USER = True REMOTE_AUTH_DEFAULT_GROUPS = [] REMOTE_AUTH_DEFAULT_PERMISSIONS = {}

PLUGINS_CONFIG = { 'django3_saml2_nbplugin': {

Use the Netbox default remote backend

        'AUTHENTICATION_BACKEND': REMOTE_AUTH_BACKEND,
        # Custom URL to validate incoming SAML requests against
        'ASSERTION_URL': 'https://netbox.mycompany.local',
        # Populates the Issuer element in authn reques e.g defined as "Audience URI (SP Entity ID)" in SSO
        'ENTITY_ID': 'https://netbox.mycompany.local/',
        # Metadata is required, choose either remote url
        'METADATA_AUTO_CONF_URL': "https://sts.mycompany.com/FederationMetadata/2007-06/FederationMetadata.xml",
        # or local file path
        #'METADATA_LOCAL_FILE_PATH': '/opt/netbox/saml2.xml',
        # Settings for SAML2CustomAttrUserBackend. Optional.
        'CUSTOM_ATTR_BACKEND': {
            # See the note below about SAML attributes
            # Attribute containing the username. Optional.
            'USERNAME_ATTR': 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn',
            # Attribute containing the user's email. Optional.
            'MAIL_ATTR': 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn',
            # Attribute containing the user's first name. Optional.
            'FIRST_NAME_ATTR': 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname',
            # Attribute containing the user's last name. Optional.
            'LAST_NAME_ATTR': 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname',
            # Set to True to always update the user on logon
            # from SAML attributes on logon. Defaults to False.
            'ALWAYS_UPDATE_USER': False,
            # Attribute that contains groups. Optional.
            'GROUP_ATTR': 'http://schemas.xmlsoap.org/claims/Group',
            # Dict of user flags to groups.
            # If the user is in the group then the flag will be set to True. Optional.
            'FLAGS_BY_GROUP': {
                 'is_staff': 'G-NETBOX-ADM',
                 'is_superuser': 'G-NETBOX-ADM'
                 },
            # Dict of SAML groups to NetBox groups. Optional.
            # Groups must be created beforehand in NetBox.
            'GROUP_MAPPINGS': {
                'G-NETBOX-ADM': 'G-NETBOX-ADM'
                }
            }
       }
    }

thanks for your help! Julien

jclbc commented 1 year ago

add upn as name id in adfs claims