search

jeremyschulman / netbox-plugin-auth-saml2

Netbox plugin for SSO using SAML2
119 stars 21 forks source link

Groups from Azure AD #71

Closed PVM-NL closed 1 year ago

PVM-NL commented 1 year ago

Hi,

I manage to get the plugin running but im facing another issue not sure if it is configuration issue or anything. Problem is that the app isnt getting the group linked to netbox as the user should be in the mentioned group on Azure AD.

See netbox screenshots: image image

See Azure AD screenshots: image image image

Will post the entire configuration, so other can take advantage of it aswell btw. linux dependencies: (workaround as with pip you get error) apt install xmlsec1

local_requirements:

django3-auth-saml2
netbox-plugin-auth-saml2
pysaml2
netbox-device-view
netbox-topology-views

configuration.py

REMOTE_AUTH_ENABLED = True
REMOTE_AUTH_BACKEND = 'django3_saml2_nbplugin.backends.SAML2CustomAttrUserBackend'
REMOTE_AUTH_HEADER = 'HTTP_REMOTE_USER'
REMOTE_AUTH_AUTO_CREATE_USER = True

# Enable installed plugins. Add the name of each plugin to the list.
PLUGINS = [
    'django3_saml2_nbplugin',
    'netbox_device_view',
    'netbox_topology_views',
]

# Plugins configuration settings. These settings are used by various plugins that the user may have installed.
# Each key in the dictionary is the name of an installed plugin and its value is a dictionary of settings.
# PLUGINS_CONFIG = {
#     'my_plugin': {
#         'foo': 'bar',
#         'buzz': 'bazz'
#     }
# }
PLUGINS_CONFIG = {
    'django3_saml2_nbplugin': {

        # Use the Netbox default remote backend
        'AUTHENTICATION_BACKEND': REMOTE_AUTH_BACKEND,

        # Custom URL to validate incoming SAML requests against
        'ASSERTION_URL': 'https://netbox.test.local',

        # Populates the Issuer element in authn reques e.g defined as "Audience URI (SP Entity ID)" in SSO
        'ENTITY_ID': 'https://netbox.test.local/',

        # Metadata is required, choose either remote url
        'METADATA_AUTO_CONF_URL': "https://login.microsoftonline.com/xxxxx",
        # or local file path
        #'METADATA_LOCAL_FILE_PATH': '/opt/netbox/saml2.xml',

        # Settings for SAML2CustomAttrUserBackend. Optional.
        'CUSTOM_ATTR_BACKEND': {
            # See the note below about SAML attributes

            # Attribute containing the username. Optional.
            'USERNAME_ATTR': 'name',
            # Attribute containing the user's email. Optional.
            'MAIL_ATTR': 'emailAddress',
            # Attribute containing the user's first name. Optional.
            'FIRST_NAME_ATTR': 'givenName',
            # Attribute containing the user's last name. Optional.
            'LAST_NAME_ATTR': 'surName',
            # Set to True to always update the user on logon
            # from SAML attributes on logon. Defaults to False.
            'ALWAYS_UPDATE_USER': False,
            # Attribute that contains groups. Optional.
            'GROUP_ATTR': 'groups',
            # Attribute that contains roles. Optional.
            'ROLE_ATTR': 'role',
            # Dict of user flags to groups.
            # If the user is in the group then the flag will be set to True. Optional.
            'FLAGS_BY_GROUP': {
                'is_staff': 'saml-group1',
                'is_superuser': 'IDNUMBER'
            },
            # Dict of SAML groups to NetBox groups. Optional.
            # Groups must be created beforehand in NetBox.
            'GROUP_MAPPINGS': {
                'IDNUMBER': 'GRP-FULL'
            }
        }
    },
    'netbox_topology_views': {
        'static_image_directory': 'netbox_topology_views/img
        'allow_coordinates_saving': True,
        'draw_default_layout': True,
        'draw_interface_name': True,
    },
    'netbox-device-view': {
        'show_on_device_tab': True,
    },
}

BANNER_LOGIN = '<a href="/api/plugins/sso/login" class="btn btn-primary btn-block">Login with SSO</a>'

nginx:

map $http_x_forwarded_proto $thescheme {
    default $scheme;
    https https;
}

server {
    # listen 80;
    # listen [::]:80;
    listen [::]:443 ssl ipv6only=off;
    # CHANGE THIS TO YOUR SERVER'S NAME
    server_name netbox.perfettivanmelle.local;

    ssl_certificate /etc/ssl/certs/netbox.crt;
    ssl_certificate_key /etc/ssl/private/netbox.key;

    client_max_body_size 25m;

    proxy_set_header X-Forwarded-Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-Proto $thescheme;
    add_header P3P 'CP="ALL DSP COR PSAa PSDa OUR NOR ONL UNI COM NAV"';

    location /static/ {
        alias /opt/netbox/netbox/static/;
    }

    location / {
        proxy_pass http://127.0.0.1:8001;
    }
#    location /login/ {
#        proxy_pass http://127.0.0.1:8001/api/plugins/sso/login/;
#    }
    location /sso/ {
        proxy_pass http://127.0.0.1:8001/api/plugins/sso/;
    }
}

server {
# Redirect HTTP traffic to HTTPS
    listen [::]:80 ipv6only=off;
    server_name _;
    return 301 https://$host$request_uri;
}
markkuleinio commented 1 year ago 
        # Attribute that contains groups. Optional.
        'GROUP_ATTR': 'groups',

Try setting this to the full claim name (the URL-looking string in your image). I see I have used these successfully at some point:

        "CUSTOM_ATTR_BACKEND": {
            "USERNAME_ATTR": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
            "MAIL_ATTR": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
            "FIRST_NAME_ATTR": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
            "LAST_NAME_ATTR": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
            "ALWAYS_UPDATE_USER": True,
            "GROUP_ATTR": "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups",

Update: maybe this is better source: https://github.com/jeremyschulman/django3-auth-saml2/issues/12#issuecomment-985310213

PVM-NL commented 1 year ago 
        # Attribute that contains groups. Optional.
        'GROUP_ATTR': 'groups',

Try setting this to the full claim name (the URL-looking string in your image). I see I have used these successfully at some point:

        "CUSTOM_ATTR_BACKEND": {
            "USERNAME_ATTR": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
            "MAIL_ATTR": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
            "FIRST_NAME_ATTR": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
            "LAST_NAME_ATTR": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
            "ALWAYS_UPDATE_USER": True,
            "GROUP_ATTR": "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups",

Update: maybe this is better source: jeremyschulman/django3-auth-saml2#12 (comment)

Changed but getting the following: image image image

markkuleinio commented 1 year ago

Sorry about the mess, I should have deleted the whole comment (but I won't now).

See the comment that I linked.

PVM-NL commented 1 year ago

I changed it and also the Update to false and write permissions are gone as soon as i set it to true it fails.

            # Attribute containing the username. Optional.
            'USERNAME_ATTR': "name",
            # Attribute containing the user's email. Optional.
            'MAIL_ATTR': "emailAddress",
            # Attribute containing the user's first name. Optional.
            'FIRST_NAME_ATTR': "givenName",
            # Attribute containing the user's last name. Optional.
            'LAST_NAME_ATTR': "surname",
            # Set to True to always update the user on logon
            # from SAML attributes on logon. Defaults to False.
            'ALWAYS_UPDATE_USER': False,
            # Attribute that contains groups. Optional.
            'GROUP_ATTR': "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups",
            # Attribute that contains roles. Optional.

But still the groups wont come with.