Custom REMOTE_AUTH_BACKEND

[barmalej1]

The plugin works great, but the built in authentication is too basic. I tried to modify backends.py and ran into couple of issues:

1. What is the correct way to modify REMOTE_AUTH_BACKEND? REMOTE_AUTH_BACKEND = '/etc/netbox/config/backends.py' didn't work as I got this: <class 'ModuleNotFoundError'> No module named '/etc/netbox/config/backends', yet the file was there

2. Is it possible to process group claims so I could assign Netbox permissions in my SSO provider?

Thanks a lot for your help!

[log1cb0mb]

That is not how you are supposed to define backend, that element basically points of backend classname. In the instructions here, its pointing to default NetBox/Django backend utilities.auth_backends.RemoteUserBackend which works but does not do any magic with user profile (user additional details). And once user is authenticated against SSO, that backend will create user in NetBox DB with email address as login name and will not populate any other info under user profile such as First/Last name etc.

This plugin itself provides two backend classes with different functions for configuring user further: 1. SAML2DottedEmailUserBackend This is handy one as once by default the username/login name will be email address as mentioned, this backend will help fill in further parameters under user profile such as you have defined those attributes under your SSO App which are returned in SAML response such as first_name, last_name and email.

2. SAML2AttrUserBackend This one does more than fill in user profile attributes but also creates username with firstname.lastname instead of email address. The problem with this backend class (with current logic) is that if the user has two words first or last name for e.g firstname:mary and lastname:Jane Watson then when the user is authenticated, it all works fine and the user is created as is.

BUT the issue is that there is restriction on NetBox side that it does not allow saving user profile with space in either first or last name. That is offcourse if you manually try to assign group or perform similar action directly in NetBox admin.

I am personally using the first one which is perfect. Email address as username and user profile gets populated.

Also the way you define or call these backends in configuration.py is:

REMOTE_AUTH_BACKEND = 'django3_saml2_nbplugin.backends.SAML2DottedEmailUserBackend'

And regarding user permissions, currently user can only be assigned to specific group(s) with the following parameters: REMOTE_AUTH_DEFAULT_GROUPS = ['default-okta-users'] and iirc, the group you define here has to be created in NetBox DB beforehand since this plugin does not do anything with groups. I opened probably related issue for this #6

[barmalej1]

How can I import a modified backend file?

[log1cb0mb]

How can I import a modified backend file?

Idk, create your own python package with "modified backend"

[barmalej1]

I don't know much about Python and inherited containerized Netbox deployment which is hard to modify. Is it possible to drop the py file in a folder and import it in configuration.py, like I did with other modifications?

[jeremyschulman]

@barmalej1 - Apologies for the delay responding. Might I suggest we try a Zoom conference to work through your specific issues? The backend system does require a Python background to create your own customized implementations. Once I get an understanding of your environment/use-case I might be able to quickly create a solution for you and show you how you can customize it for yourself in the future.

If you are interested in doing a web-conf call, please let me know your timezone & availability.

[log1cb0mb]

@jeremyschulman @barmalej1 I would like to join that call as well. I am sure will learn a thing or two if okay with both of you.

[barmalej1]

Sorry, had unrelated problems with Netbox... I actually figured it out. I modified Dockerfile-Plugins with the following:

RUN echo $' class SAML2CustomClass(RemoteUserBackend): --custom code here-- ' >> /usr/local/lib/python3.7/site-packages/django3_saml2_nbplugin/backends.py

and rebuild containers. Now I can use the custom class in configuration.py like this:

REMOTE_AUTH_BACKEND = 'django3_saml2_nbplugin.backends.SAML2CustomClass'

Forgot to add that each line except the last has to be terminated with "\n\" and each single quote in the code escaped with "\".

RUN echo $'\n\ class SAML2CustomClass(RemoteUserBackend):\n\ --custom code here--\n\ ' >> /usr/local/lib/python3.7/site-packages/django3_saml2_nbplugin/backends.py

Works like a charm!

[jeremyschulman]

Very nice workaround.

[jeremyschulman]

Closing this issue; @barmalej1 Jul 23.