Netbox 3.1 and Azure AD SSO

[mrapw]

Hi all
as anyone had any luck in getting SSO working with Azure AD please with Netbox 3.1 (Single Sign-On (SSO) Authentication (#7649)

I've not been able to any guides on how to set up and came across the thread below.
#7649

I've set up a new Enterprise App in Azure AD configured for SAML, and have the Application ID etc.

added entries to configuration.py (I've masked entries like the Application ID etc for the purposes of this)

LOGIN_REQUIRED = True

REMOTE_AUTH_ENABLED = True

REMOTE_AUTH_BACKEND = 'social_core.backends.azuread_tenant.AzureADTenantOAuth2'

REMOTE_AUTH_AUTO_CREATE_USER = True

SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_RESOURCE = '(Application ID)'
SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_KEY = '(Application ID)'
SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_SECRET = '(Secret Token)'
SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_TENANT_ID = '(Tenant ID)'

SOCIAL_AUTH_PIPELINE = (
'social_core.pipeline.social_auth.social_details',
'social_core.pipeline.social_auth.social_uid',
'social_core.pipeline.social_auth.auth_allowed',
'social_core.pipeline.social_auth.social_user',
'social_core.pipeline.user.get_username',
'netbox.custom_pipeline.set_username',
'social_core.pipeline.user.create_user',
'social_core.pipeline.social_auth.associate_user',
'social_core.pipeline.social_auth.load_extra_data',
'social_core.pipeline.user.user_details',
'netbox.custom_pipeline.set_role'

When I launch Netbox in the browser I successfully get prompted to use SSO provider which directs me to a Microsoft sign-in page.

Or use an SSO provider:
[azuread-tenant-oauth2]

Upon successful authentication the following is displayed:

ADSTS650057: Invalid resource. The client has requested access to a resource which is not listed in the requested permissions in the client's application registration. Client app ID: (Application ID) (Netbox Test). Resource value from request: (Application ID). Resource app ID: (Application ID). List of valid resources from app registration: .

any ideas please what the issue could be?

TIA

[jeremystretch]

I don't think you need to define SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_RESOURCE. (Per the python-social-auth docs, this should be a URL.)

[aussielunix]

These are my raw notes from Netbox and SAML.
They are not perfect but I share them in case they help a little.

https://gist.github.com/aussielunix/46f6e53bf7c6d231ef0a296215abbf07

[pparasuram]

Hello,

We got this working, however because someone else in my team had configured LDAP authentication successfully before, all we had to do was leverage quite a bit of that code.

We did the following:

Essentially added a python-social-auth pipeline with our method to get the jwt from SSO and decode jwt, and populated groups into netbox user.groups, and set 2 flags user.is_staff and user.is_superuser.

1. Added a method to the social auth pipeline
2. under custom-plugins, create init.py (custom-plugins\test_api\test_api_init_.py)
   add something like below:

from extras.plugins import PluginConfig

class TestAPIConfig(PluginConfig):
name = 'test_api'
verbose_name = 'Test API'
description = 'An example NetBox plugin'
version = '0.1'
author = 'me lastname'
author_email = 'me.lastname@somewhere.com'
base_url = 'test'
required_settings = []
default_settings = {}

config = TestAPIConfig

3. create custom-plugins\test_api\test_api\my_social_auth_test.py

import jwt
from importlib import import_module
from os import environ
from django.contrib.auth.models import User, Group

ALLOWED_USER_GROUPS_LIST = []
SUPER_USER_GROUPS = []

def my_test_func(strategy, backend, request, *args, **kwargs):

user = kwargs["user"]

jwt_id_token = kwargs['response']['id_token']
alg = jwt.get_unverified_header(jwt_id_token) ['alg']

user_info = jwt.decode(jwt_id_token, algorithms=[alg], options={"verify_signature": False})

jwt_groups = user_info ['groups']

user.is_staff = any(a_group in jwt_groups for a_group in ALLOWED_USER_GROUPS_LIST)
user.is_superuser = any(a_group in jwt_groups for a_group in SUPER_USER_GROUPS)

matched_netbox_groups = Group.objects.filter(name__in=jwt_groups)
user.groups.set(matched_netbox_groups)
user.save()

return None

4. Add to python social auth pipeline: in custom-configuration\configuration.py

add to bottom

SOCIAL_AUTH_PIPELINE = (
# Get the information we can about the user and return it in a simple
# format to create the user instance later. In some cases the details are
# already part of the auth response from the provider, but sometimes this
# could hit a provider API.
'social_core.pipeline.social_auth.social_details',

# Get the social uid from whichever service we're authing thru. The uid is
# the unique identifier of the given user in the provider.
'social_core.pipeline.social_auth.social_uid',

# Verifies that the current auth process is valid within the current
# project, this is where emails and domains whitelists are applied (if
# defined).
'social_core.pipeline.social_auth.auth_allowed',

# Checks if the current social-account is already associated in the site.
'social_core.pipeline.social_auth.social_user',

# Make up a username for this person, appends a random string at the end if
# there's any collision.
'social_core.pipeline.user.get_username',

# Send a validation email to the user to verify its email address.
# Disabled by default.
# 'social_core.pipeline.mail.mail_validation',

# Associates the current social details with another user account with
# a similar email address. Disabled by default.
# 'social_core.pipeline.social_auth.associate_by_email',

# Create a user account if we haven't found one yet.
'social_core.pipeline.user.create_user',

# Create the record that associates the social account with the user.
'social_core.pipeline.social_auth.associate_user',

# Populate the extra_data field in the social record with the values
# specified by settings (and the default ones like access_token, etc).
'social_core.pipeline.social_auth.load_extra_data',

# Update the user record with any changed info from the auth service.
'social_core.pipeline.user.user_details',

'test_api.my_social_auth_test.my_test_func',

)

5. in Dockerfiles\NetBox

FROM /docker.io/netboxcommunity/netbox:v3.3.4-2.2.0

ADD ./custom-initializers /opt/netbox/initializers
ADD ./custom-configuration /etc/netbox/config
ADD ./custom-reports /etc/netbox/reports
ADD ./custom-scripts /etc/netbox/scripts
ADD ./custom-plugins /opt/netbox/plugins

COPY startup-hooks.sh startup-hooks.sh
COPY requirements.txt requirements.txt
RUN chmod 777 startup-hooks.sh
&& /opt/netbox/venv/bin/pip install -r requirements.txt --index-url=https:///artifactory/api/pypi/pypi/simple
&& pip install /opt/netbox/plugins/test_api
&& pip install pyjwt

CMD ["/opt/netbox/docker-entrypoint.sh", "/opt/netbox/netbox/startup-hooks.sh" ]

LABEL com.mycompany.image.ContactGroup="me.lastname@somewhere.com"
com.mycompany.image.ResourceOwner="me.lastname"
com.mycompany.image.TicketGroup="my-group-name"
com.mycompany.image.SOMEID="111111"

All the file locations are relative to your netbox root

Good Luck

[pparasuram]

I have a question:

Right now the local login and the Azure login shows up,
that is screen shows: Username field and Password Field,
below that Azure AD SSO link.

The issue is that the Username/Password will no longer accept Ldap, it only accepts local user. It will be nice if both worked at the same time, meaning if user prefers Ldap and enters Ldap username and password use that, OR if he clicks SSO use that.

That is now not possible once I have SSO working. Is there any way Netbox can allow both to work simulataneously.

Prakash

[umarkhan99]

how are we declaring/calling the py file we created?

[kale1d0code]

There seems to still be problems with SSO in version 4.2.4
I've added the environment variables to the container however it seems as if the client id value is not getting picked up