jeremyschulman / django3-auth-saml2 Goto Github PK

Currently, I have an issue with the group mapping for some accounts: if an account is on the AD-Opetators Azure AD group, it will be assigned to the DCIM-Opetator Netbox's group, but then if the same account is removed from AD Opetators Azure AD group and moved to AD-Admins Azure AD group, the expected behaviour would be that the account should get the Staff and Superuser status flags, but instead, the account will be removed from the DCIM-Opetator group and only the status flag Active will stay flagged.

I revised the plugin configuration is configuration.py and it looks fine to me.

REMOTE_AUTH_ENABLED = True
#REMOTE_AUTH_BACKEND = 'netbox.authentication.RemoteUserBackend'
REMOTE_AUTH_BACKEND = 'django3_saml2_nbplugin.backends.SAML2CustomAttrUserBackend'
REMOTE_AUTH_HEADER = 'HTTP_REMOTE_USER'
REMOTE_AUTH_AUTO_CREATE_USER = True
REMOTE_AUTH_DEFAULT_GROUPS = []
REMOTE_AUTH_DEFAULT_PERMISSIONS = {}

# Enable installed plugins. Add the name of each plugin to the list.
PLUGINS = ['django3_saml2_nbplugin']

# Plugins configuration settings. These settings are used by various plugins that the user may have installed.
# Each key in the dictionary is the name of an installed plugin and its value is a dictionary of settings.
PLUGINS_CONFIG = {
    'django3_saml2_nbplugin': {

        'AUTHENTICATION_BACKEND': REMOTE_AUTH_BACKEND,
        'ASSERTION_URL': 'https://dcim.company.com/api/plugins',
        'ENTITY_ID': 'https://dcim.company.com/',

        # Metadata is required, choose either remote url
        'METADATA_AUTO_CONF_URL': "https://login.microsoftonline.com/6d3fc077-0dff-xxxx-xxxx-4434xxxxf4d1/federationmetadata/2007-06/federationmetadata.xml?appid=d6c962fb-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
        # or local file path
        # 'METADATA_LOCAL_FILE_PATH': '/opt/netbox/DCIM.xml',

        # Settings for SAML2CustomAttrUserBackend. Optional.
        'CUSTOM_ATTR_BACKEND': {
            # Attribute containing the username. Optional.
            "USERNAME_ATTR": "name",
            # Attribute containing the user's email. Optional.
            "MAIL_ATTR": "emailAddress",
            # Attribute containing the user's first name. Optional.
            "FIRST_NAME_ATTR": "givenName",
            # Attribute containing the user's last name. Optional.
            "LAST_NAME_ATTR": "surname",
            # Set to True to always update the user on logon
            # from SAML attributes on logon. Defaults to False.
            'ALWAYS_UPDATE_USER': True,
            # Attribute that contains groups. Optional.
            'GROUP_ATTR': 'http://schemas.microsoft.com/ws/2008/06/identity/claims/groups',
            # Dict of user flags to groups.
            # If the user is in the group then the flag will be set to True. Optional.
            'FLAGS_BY_GROUP': {
                'is_staff':'c273533e-xxxx-xxxx-xxxx-09841d1exxxx', # AD-Admins group
                'is_superuser':'c273533e-xxxx-xxxx-xxxx-09841d1exxxx' # AD-Admins group
            },
            # Dict of SAML groups to NetBox groups. Optional.
            # Groups must be created beforehand in NetBox.
            'GROUP_MAPPINGS': {
                'd51a17ec-xxxx-xxxx-xxxx-c9696a30efbf': 'DCIM-readonly',
                'dff13f8f-xxxx-xxxx-xxxx-6a17574cce00': 'DCIM-operator',
                '0a310d41-xxxx-xxxx-xxxx-d0c3a656ed5c': 'DCIM-tenant-admins',
                '5fafd340-xxxx-xxxx-xxxx-2d2a9655141a': 'DCIM-SOC'
            }
        }
    }
}

TLTR: if accounts are added to AD-Admins and AD-Operator groups, then it will get the group mapping issue.

Does it make sense to anyone?

Explanation

Sometimes you just don't want to check if signature is signed. Normally, you can set WantAssertionsSigned="false"

Common error

saml2.sigver.SignatureError: Signature missing for assertion

It appears the pypi version is missing the VERSION file, which is causing setup.py to fail.

Traceback:

    Running command python setup.py egg_info
    Traceback (most recent call last):
      File "<string>", line 1, in <module>
      File "/tmp/vpip-build-django3_auth_saml2-0.0.0-py2.py3-none-any.whl/django3-auth-saml2/setup.py", line 3, in <module>
        package_version = open('VERSION').read().strip()
    FileNotFoundError: [Errno 2] No such file or directory: 'VERSION'

Introspecting https://files.pythonhosted.org/packages/65/da/7428cb5d96588d5e11da12cadbe374c79f40ca60111181c461ff0aee27f2/django3-auth-saml2-0.2.0.tar.gz :

package_version = open('VERSION').read().strip()
aliu-mbp:django3-auth-saml2-0.2.0 aliu$ ls
MANIFEST.in			README.md			django3_auth_saml2.egg-info	setup.cfg
PKG-INFO			django3_auth_saml2		requirements.txt		setup.py
aliu-mbp:django3-auth-saml2-0.2.0 aliu$

Have you ever try to use djangosaml2?
https://github.com/knaperek/djangosaml2

Using the latest django3-auth-saml2, and netbox 3.3.9

I have a replicated database that is in readonly. The netbox frontend should be accessible and works with local users.
When I enable SSO using this plugin, I get an error 'cannot execute UPDATE in a read-only transaction'

I traced this to the def sso_acs that runs the login(req, user_obj)
That call triggers the signal user_logged_in, and performs an update of the database to keep track of the last login timestamp.

In netbox, this is solved by disconnecting that signal, if the database is in readonly mode.

Can there be an option created to be compatible with a readonly database ?
some extra configuration parameter ?

Pieter

The current pip version 0.2.0 fails with Python 3.9 due to pysaml2 using base64.stringdecode and base.stringencode. The current master branch requirements are for pysaml2 6.5 but it isn't released.

netbox 3.2 (currently in beta, releasing in April) is moving to Django 4. Django 4 has deprecated the method is_safe_url() in utils.http (which is used in views.py). It is replaced with url_has_allowed_host_and_scheme() (same parameters). When you load the netbox beta, you get:

ImportError: cannot import name 'is_safe_url' from 'django.utils.http' (/opt/netbox/venv/lib/python3.9/site-packages/django/utils/http.py)

I know this specifies django3, but netbox-plugin-auth-saml2 requires this and will no longer work. Are there any thoughts on making this compatible with Django 4 or making a version for netbox that can be?

Hello,

The Apache license requires license text to be present along with source, but I can't find it in this git repository.

Would appreciate if you could add it and make a new release (so that it appears also on pypi.org).

Thank you!

Worked with 0.2.0 (with it's dependencies) but not on 0.2.1 (released last night by @jeremyschulman) anymore:

<class 'PermissionError'>
SAML2 backend SAML2CustomAttrUserBackend missing attribute:
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Python version: 3.8.10
NetBox version: 3.0.11

Both on NetBox 2.11.7 and 3.0.11.

Only thing I did was running NetBox ./upgrade.sh so it installed the latest packages for the dependencies (last updated them two days ago). Still investigating though.

Update: I verified that the name claim was included in the SAML assertion just like before:

            <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
                <AttributeValue>[email protected]</AttributeValue>
            </Attribute>

(in this setup the name claim has the UPN, not email address)

In NetBox configuration.py:

PLUGINS = ["django3_saml2_nbplugin"]
REMOTE_AUTH_ENABLED = True
REMOTE_AUTH_HEADER = 'HTTP_REMOTE_USER'
REMOTE_AUTH_AUTO_CREATE_USER = True
REMOTE_AUTH_DEFAULT_GROUPS = []
REMOTE_AUTH_DEFAULT_PERMISSIONS = {}
REMOTE_AUTH_BACKEND = 'django3_saml2_nbplugin.backends.SAML2CustomAttrUserBackend'
PLUGINS_CONFIG = {
    "django3_saml2_nbplugin": {
        "AUTHENTICATION_BACKEND": REMOTE_AUTH_BACKEND,
        "ASSERTION_URL": "https://netbox.example.com",
        "ENTITY_ID": "https://netbox.example.com/",
        # "METADATA_AUTO_CONF_URL": "https://login.microsoftonline.com/xxx/federationmetadata/2007-06/federationmetadata.xml?appid=yyy",
        "METADATA_LOCAL_FILE_PATH": "/opt/netbox/saml.xml",
        # Tried with both AUTO_CONF_URL and LOCAL_FILE_PATH, no difference here
        "CUSTOM_ATTR_BACKEND": {
            "USERNAME_ATTR": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
            "MAIL_ATTR": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
            "FIRST_NAME_ATTR": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
            "LAST_NAME_ATTR": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
            "ALWAYS_UPDATE_USER": True,
            "GROUP_ATTR": "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups",
            "FLAGS_BY_GROUP": {
                "is_staff": "MYNETBOX_STAFF",
                "is_superuser": "MYNETBOX_SUPERUSER",
            },
            "GROUP_MAPPINGS": {
                "MYNETBOX_ACTIVE": "MYNETBOX_ACTIVE",
                "MYNETBOX_SUPERUSER": "MYNETBOX_SUPERUSER",
            }
        }
    }
}