search

jeremyschulman / netbox-plugin-auth-saml2

Netbox plugin for SSO using SAML2
119 stars 23 forks source link

Questions about CUSTOM_ATTR_BACKEND not working properly #75

Open bardwang opened 10 months ago

bardwang commented 10 months ago

Could anyone help me on this issue? My configuration for CUSTOM_ATTR_BACKEND doesn't work for some reasons. Once I login using Saml, the login account doesn't have firstname, lastname and groups.

image

This is my config for saml plugin.

PLUGINS = ["django3_saml2_nbplugin"]
REMOTE_AUTH_BACKEND = "netbox.authentication.RemoteUserBackend"

PLUGINS_CONFIG = {
    "django3_saml2_nbplugin": {
        # Use the Netbox default remote backend
        "AUTHENTICATION_BACKEND": REMOTE_AUTH_BACKEND,
        # Populates the Issuer element in authn reques e.g defined as "Audience URI (SP Entity ID)" in SSO
        "ENTITY_ID": "903188",
        # Custom URL to validate incoming SAML requests against
        "ASSERTION_URL": "https://localhost.test.com",
        # ACS URL
        # or local file path
        "METADATA_LOCAL_FILE_PATH": "/etc/netbox/config/saml2_uat.xml",
        # Settings for SAML2CustomAttrUserBackend. Optional.
        "CUSTOM_ATTR_BACKEND": {

            # Attribute containing the username. Optional.
            'USERNAME_ATTR': 'Email',
            # Attribute containing the user's email. Optional.
            'MAIL_ATTR': 'Email',
            # Attribute containing the user's first name. Optional.
            'FIRST_NAME_ATTR': 'FirstName',
            # Attribute containing the user's last name. Optional.
            'LAST_NAME_ATTR': 'LastName',
            # Set to True to always update the user on logon
            # from SAML attributes on logon. Defaults to False.
            'ALWAYS_UPDATE_USER': False,
            # Attribute that contains groups. Optional.
            'GROUP_ATTR': 'Groups',
            # Dict of user flags to groups.
            # If the user is in the group then the flag will be set to True. Optional.
            'FLAGS_BY_GROUP': {
                'is_staff': '2000004434',
                'is_superuser': '2000004434'
            },
        },
    }
}

This is the saml response for Email, FirstName, LastName and Groups.

<saml:Attribute Name="Email">
    <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                     xsi:type="xs:string"
                                     >wang_xun@test.com</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="FirstName">
    <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                     xsi:type="xs:string"
                                     >Xun</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="LastName">
    <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                     xsi:type="xs:string"
                                     >Wang</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Groups">
    <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                     xsi:type="xs:string"
                                     > 2000004434 </saml:AttributeValue>
</saml:Attribute>

Does anyone know why all the fields in CUSTOM_ATTR_BACKEND don't work?

markkuleinio commented 10 months ago

REMOTE_AUTH_BACKEND = 'django3_saml2_nbplugin.backends.SAML2CustomAttrUserBackend' ?

(also ensure that REMOTE_AUTH_BACKEND is not set later again in configuration.py)

bardwang commented 10 months ago

REMOTE_AUTH_BACKEND = 'django3_saml2_nbplugin.backends.SAML2CustomAttrUserBackend' ?

(also ensure that REMOTE_AUTH_BACKEND is not set later again in configuration.py)

Oh, it works. Thank you so much!

basht0p commented 5 months ago

REMOTE_AUTH_BACKEND = 'django3_saml2_nbplugin.backends.SAML2CustomAttrUserBackend' ?

(also ensure that REMOTE_AUTH_BACKEND is not set later again in configuration.py)

This was such a legendary save. I figured it was correctly set since SAML was technically working, but it wouldn't recognize any of the group attributes. You are a godsend, my friend.