search

marcus-crane / netbox-plugin-azuread

A plugin that enables users to authenticate with Netbox using Azure Active Directory
17 stars 5 forks source link

groups don't map #3

Closed qxmips closed 2 years ago

qxmips commented 2 years ago

Hi Marcus, thank you for sharing this plugin! great job.
It works for me, but when I log in with my user with the plugin it doesn't detect and groups, though I configured mapping:

    'AD_GROUP_MAP': {
      'STAFF': ['NetBox_Users', 'netbox_super_users'],
      'SUPERUSER': ['netbox_super_users']
    }

do you have any idea where to look at? should I do addtional steps in Azure portal ?

marcus-crane commented 2 years ago

Hey there,

For starters, does the service principal you're using have the Directory.Read.All permission?

Screen Shot 2021-10-07 at 2 00 14 PM

In hindsight, I don't believe I've documented this aspect of setting up the plugin although it's a best effort thing as mentioned.

Today is actually the last day with my current employer so after today, I won't be working with Netbox but I'll have a look into setting up a developer account for debugging.

Anyway, let me know how you get on and if there's no luck, I'll try to provide some more avenues to look at

kbcz1989 commented 2 years ago

@qxmips Hello. I had the same problem, but with "API permissions" properly set, as on @marcus-crane screenshot above, everything should be working ok.

Here is Terraform code for quickly creating a test app:

terraform {
  required_providers {
    azuread = {
      source = "hashicorp/azuread"
      version = "2.6.0"
    }
  }
}

provider "azuread" {
  # Configuration options
}

data "azuread_client_config" "current" {}

resource "azuread_application" "this" {
  display_name                   = "Netbox-SSO"
  owners                         = [data.azuread_client_config.current.object_id]
  sign_in_audience               = "AzureADMyOrg"
  fallback_public_client_enabled = false
  group_membership_claims        = ["SecurityGroup"]

  api {
  }

  web {
    redirect_uris = [
      "http://localhost:8000/plugins/azuread/complete/",
    ]
    implicit_grant {
      access_token_issuance_enabled = false
      id_token_issuance_enabled     = true
    }
  }

  optional_claims {
    access_token {
      additional_properties = [
        "netbios_domain_and_sam_account_name",
      ]
      essential = false
      name      = "groups"
    }
    id_token {
      additional_properties = []
      essential             = false
      name                  = "xms_pl"
    }
    id_token {
      additional_properties = []
      essential             = false
      name                  = "xms_tpl"
    }
    id_token {
      additional_properties = [
        "netbios_domain_and_sam_account_name",
      ]
      essential = false
      name      = "groups"
    }
    saml2_token {
      additional_properties = [
        "netbios_domain_and_sam_account_name",
      ]
      essential = false
      name      = "groups"
    }
  }

  required_resource_access {
    resource_app_id = "00000003-0000-0000-c000-000000000000"

    resource_access {
      id   = "e1fe6dd8-ba31-4d61-89e7-88639da4683d"
      type = "Scope"
    }
    resource_access {
      id   = "7ab1d382-f21e-4acd-a863-ba3e13f7da61"
      type = "Role"
    }
  }

}

resource "azuread_service_principal" "this" {
  application_id = azuread_application.this.application_id
  tags = [
    "HideApp",
    "WindowsAzureActiveDirectoryIntegratedApp",
  ]
}
marcus-crane commented 2 years ago

Hey @qxmips, I'm going to try and set up an end to end environment to narrow down the issue today. As mentioned in a differnet issue, I'm no longer at my previous job so I'm having to set up a proper local environment to support this plugin 🙂 Can I get your exact Netbox version just to narrow down where to look?

qxmips commented 2 years ago

@qxmips Hello. I had the same problem, but with "API permissions" properly set, as on @marcus-crane screenshot above, everything should be working ok.

Here is Terraform code for quickly creating a test app:

terraform {
  required_providers {
    azuread = {
      source = "hashicorp/azuread"
      version = "2.6.0"
    }
  }
}

provider "azuread" {
  # Configuration options
}

data "azuread_client_config" "current" {}

resource "azuread_application" "this" {
  display_name                   = "Netbox-SSO"
  owners                         = [data.azuread_client_config.current.object_id]
  sign_in_audience               = "AzureADMyOrg"
  fallback_public_client_enabled = false
  group_membership_claims        = ["SecurityGroup"]

  api {
  }

  web {
    redirect_uris = [
      "http://localhost:8000/plugins/azuread/complete/",
    ]
    implicit_grant {
      access_token_issuance_enabled = false
      id_token_issuance_enabled     = true
    }
  }

  optional_claims {
    access_token {
      additional_properties = [
        "netbios_domain_and_sam_account_name",
      ]
      essential = false
      name      = "groups"
    }
    id_token {
      additional_properties = []
      essential             = false
      name                  = "xms_pl"
    }
    id_token {
      additional_properties = []
      essential             = false
      name                  = "xms_tpl"
    }
    id_token {
      additional_properties = [
        "netbios_domain_and_sam_account_name",
      ]
      essential = false
      name      = "groups"
    }
    saml2_token {
      additional_properties = [
        "netbios_domain_and_sam_account_name",
      ]
      essential = false
      name      = "groups"
    }
  }

  required_resource_access {
    resource_app_id = "00000003-0000-0000-c000-000000000000"

    resource_access {
      id   = "e1fe6dd8-ba31-4d61-89e7-88639da4683d"
      type = "Scope"
    }
    resource_access {
      id   = "7ab1d382-f21e-4acd-a863-ba3e13f7da61"
      type = "Role"
    }
  }

}

resource "azuread_service_principal" "this" {
  application_id = azuread_application.this.application_id
  tags = [
    "HideApp",
    "WindowsAzureActiveDirectoryIntegratedApp",
  ]
}

thank you very much. i use terraform for this project. so it's very helpful

qxmips commented 2 years ago

@marcus-crane Hi Marcus. Thank you, I think I got it working when set "groupMembershipClaims": "All" in app Manifest in azure.

marcus-crane commented 2 years ago

@qxmips Ah, thanks for letting me know! If you're happy, then I'll close this issue. You can always file a new one if you need to or open this one if that's possible. I'm not quite sure how the Github permissions are set to be honest

qxmips commented 2 years ago

@marcus-crane sure, thank you again for cooperation!