search

jeremyschulman / netbox-plugin-auth-saml2

Netbox plugin for SSO using SAML2
120 stars 21 forks source link

Cannot get the plugin to work #7

Closed barmalej1 closed 4 years ago

barmalej1 commented 4 years ago

I followed the instructions and Netbox seems to be working. When I browse to /plugins/sso/login/, I get "page not found". I tried /api/plugins/sso/login/ and got:

<class 'saml2.sigver.SigverError'>

Cannot find ['xmlsec1']

xmlsec1 is already installed. Any ideas how to get this to work?

log1cb0mb commented 4 years ago

May be try installing xmlsec1-openssl as well.

barmalej1 commented 4 years ago

Sorry had a brain fart - I was running Netbox in a docker container, but installed xmlsec on the host... I am trying to configure SSO with Azure AD. When I enter https://domain.com/api/plugins/sso/login/ it redirects me to login.microsoftonline.com but then I get XML error in the SAML message. Also I noticed Assertion URL appears in the SAML request as https://domain.com/sso/acs/. I tried this URL as well as https://domain.com/api/sso/acs/ and got 404. Only https://domain.com/api/plugins/sso/acs/ seems to be working (I get 403). Am I doing anything wrong?

log1cb0mb commented 4 years ago

Try these: SSO/Recipient/Destination URL: https://netbox.company.com/sso/acs/ While Audience URI (SP Entity ID) which basically reflects to Entity ID parameter in plugin config and Assertion URL : https://netbox.company.com/

Please note that the parameters names are from OKTA, I am not entirely sure how those are named exactly in Azure AD but that you can verify.

barmalej1 commented 4 years ago

I figured out what Azure didn't like:

in AuthnRequest. If I change it to

`Assertion URL` SSO works. `Assertion URL` is basically `https://netbox.company.com`. Is it possible to update the plugin?
jeremyschulman commented 4 years ago

@barmalej1 - Apologies for the delay responding. If you have not already determined a solution:

I believe your question is related to the https://github.com/jeremyschulman/django3-auth-saml2 package, and how the SAML2 packets are processed in https://github.com/jeremyschulman/django3-auth-saml2/blob/master/django3_auth_saml2/views.py. I hope my assumption is correct; if so, then the relevant line in the code that sets the value Azure did not like is here: https://github.com/jeremyschulman/django3-auth-saml2/blob/master/django3_auth_saml2/views.py#L243

In order to use the value that works from your testing, you would need to set the NAME_ID_FORMAT in the 

SAML2_AUTH_CONFIG = {
    # change the Format to what Azure needs
    'NAME_ID_FORMAT': "urn:oasis:names:tc:SAML:2.0:assertion", 

    # Using default remote backend
    'AUTHENTICATION_BACKEND': 'django.contrib.auth.backends.RemoteUserBackend',

    # Metadata is required, choose either remote url or local file path
    'METADATA_AUTO_CONF_URL': "https://mycorp.oktapreview.com/app/sadjfalkdsflkads/sso/saml/metadata"
}

Please give this a try and share your findings.

barmalej1 commented 4 years ago

I figured it out! I just needed to add ENTITY_ID in configuration.py, default NAME_ID_FORMAT worked fine.

log1cb0mb commented 4 years ago

I figured it out! I just needed to add ENTITY_ID in configuration.py, default NAME_ID_FORMAT worked fine.

Yes, you were supposed to define that and that is what causes 403 error as either mismatch in ENTITY_ID on both ends or not defined on django app side.

jeremyschulman commented 4 years ago

sounds like all is good now. thank you again @mrrobottt443 for assigning @barmalej1.

closing.