AzureAD SSO - Groups #12688
Replies: 7 comments 17 replies
-
|
Update: Added the following and still no success, AUTH_AZUREAD_ENABLED = True |
Beta Was this translation helpful? Give feedback.
-
|
Correction: Added this part. AUTH_AZUREAD_REPLY_URL = 'https://hostname/login' |
Beta Was this translation helpful? Give feedback.
-
|
This is what I did to get it working. Although it's not well tested yet, and could probably be optimized some. Add this to your config: REMOTE_AUTH_AUTO_CREATE_USER = True
REMOTE_AUTH_BACKEND = [
"social_core.backends.azuread.AzureADOAuth2",
]
REMOTE_AUTH_DEFAULT_GROUPS = []
REMOTE_AUTH_DEFAULT_PERMISSIONS = {}
REMOTE_AUTH_ENABLED = True
SOCIAL_AUTH_AZUREAD_OAUTH2_KEY = "xxxx"
SOCIAL_AUTH_AZUREAD_OAUTH2_SECRET = "yyyy"
SOCIAL_AUTH_AZUREAD_OAUTH2_TENANT_ID = "zzzz"
SOCIAL_AUTH_AZUREAD_OAUTH2_DEFAULT_SCOPE = [
"openid",
"profile",
"user_impersonation",
"email",
"groups",
]
SOCIAL_AUTH_AZUREAD_OAUTH2_EXTRA_DATA = [
("groups", "groups")
]
SOCIAL_AUTH_REDIRECT_IS_HTTPS = True
SOCIAL_AUTH_PIPELINE = (
"social_core.pipeline.social_auth.social_details",
"social_core.pipeline.social_auth.social_uid",
"social_core.pipeline.social_auth.social_user",
"social_core.pipeline.user.get_username",
"social_core.pipeline.social_auth.associate_by_email",
"social_core.pipeline.user.create_user",
"social_core.pipeline.social_auth.associate_user",
"netbox.authentication.user_default_groups_handler",
"social_core.pipeline.social_auth.load_extra_data",
"social_core.pipeline.user.user_details",
"netbox.azuresetgroups.set_groups",
)Copy this file to from django.contrib.auth.models import Group
import logging
class AuthFailed(Exception):
pass
logger = logging.getLogger(__name__)
def set_groups(response, user, backend, *args, **kwargs):
user.groups.clear()
user.save()
conndetails = user.social_auth.get(provider="azuread-oauth2")
group_names = conndetails.extra_data.get("groups")
logger.info("found groups: %s", group_names)
if group_names is None:
return
try:
user.is_active = True
user.is_superuser = False
user.is_staff = False
user.save()
for group_name in group_names:
if group_name == "netbox superusers":
user.is_superuser = True
user.is_staff = True
user.save()
group, created = Group.objects.get_or_create(name=group_name)
group.user_set.add(user)
group.save()
except Group.DoesNotExist:
pass |
Beta Was this translation helpful? Give feedback.
-
|
is this the only place where we specify the group name? |
Beta Was this translation helpful? Give feedback.
-
Yes. |
Beta Was this translation helpful? Give feedback.
-
|
Also getting this error message after making this change: <class 'AttributeError'> 'list' object has no attribute 'rsplit' Python version: 3.9.10 |
Beta Was this translation helpful? Give feedback.
-
|
I'm using 3.5, so not sure what has changed. If you had a full backtrace that would be more useful. |
Beta Was this translation helpful? Give feedback.
-
|
fixed the code with the following REMOTE_AUTH_AUTO_CREATE_USER = True REMOTE_AUTH_BACKEND = "social_core.backends.azuread.AzureADOAuth2" REMOTE_AUTH_DEFAULT_GROUPS = [] REMOTE_AUTH_DEFAULT_PERMISSIONS = {} REMOTE_AUTH_ENABLED = True SOCIAL_AUTH_AZUREAD_OAUTH2_KEY = "xxxx" SOCIAL_AUTH_AZUREAD_OAUTH2_SECRET = "yyyy" SOCIAL_AUTH_AZUREAD_OAUTH2_TENANT_ID = "zzzz" SOCIAL_AUTH_AZUREAD_OAUTH2_DEFAULT_SCOPE = [ |
Beta Was this translation helpful? Give feedback.
-
|
So you changed REMOTE_AUTH_BACKEND from a list to a single string? The formatting makes it difficult to see. |
Beta Was this translation helpful? Give feedback.
-
|
ya, couldn't really find a way to fix the formatting so just added empty lines in the beginning |
Beta Was this translation helpful? Give feedback.
-
|
Looks like REMOTE_AUTH_BACKEND behavior changed in 3.4.7: netbox/docs/release-notes/version-3.4.md Line 74 in b31b086 |
Beta Was this translation helpful? Give feedback.
-
|
that makes sense...do you know why I would receive the error message below? |
Beta Was this translation helpful? Give feedback.
-
|
Getting this error hwoever: AADSTS700016: Application with identifier 'xxxx' was not found in the directory 'DOMAIN.com'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant. |
Beta Was this translation helpful? Give feedback.
-
|
where do I find the code that include netbox.authentication.user_default_groups_handler for v3.2.5? |
Beta Was this translation helpful? Give feedback.
-
You'll need to upgrade to a newer version of NetBox. I doubt that it would be very easy to backport that code to 3.2.5. |
Beta Was this translation helpful? Give feedback.
-
The groups that Azure sends to NetBox should be logged. Check the logs for those and make sure that they make sense. |
Beta Was this translation helpful? Give feedback.
-
|
where do I specify the groups in Azure that need to be imported? the documentation isn't really clear. |
Beta Was this translation helpful? Give feedback.
-
|
I added them in Users and Groups for the Netbox application under Enterprise Application tab |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Hi,
I ahve configured AzureAD SSO for Netbox but don't know where/how to specify superuser/admin user groups. Please assist. I have netbox version 3.2.5 installed.
Beta Was this translation helpful? Give feedback.
All reactions