https://github.com/jeremyschulman/netbox-plugin-auth-saml2

Netbox plugin for SSO using SAML2
https://github.com/jeremyschulman/netbox-plugin-auth-saml2

netbox-plugin

Last synced: 2 months ago
JSON representation

Netbox plugin for SSO using SAML2

• Host: GitHub
• URL: https://github.com/jeremyschulman/netbox-plugin-auth-saml2
• Owner: jeremyschulman
• Created: 2020-05-22T18:37:41.000Z (about 4 years ago)
• Default Branch: main
• Last Pushed: 2023-06-06T14:13:52.000Z (about 1 year ago)
• Last Synced: 2024-05-05T00:43:12.573Z (2 months ago)
• Topics: netbox-plugin
• Language: Python
• Size: 27.3 KB
• Stars: 114
• Watchers: 14
• Forks: 17
• Open Issues: 19
• Metadata Files:
  • Readme: README.md

Lists

• awesome-netbox - jeremyschulman/netbox-plugin-auth-saml2 - Netbox Plugin for SSO using SAML2. (Plugins / Authentication)

README

        
# Netbox Plugin for SSO using SAML2

Netbox 2.8 provides enhancements to support remote user authentication uses specific

variables defined in the configuration.py file, as described here:

https://netbox.readthedocs.io/en/stable/configuration/optional-settings/

This repository provides a Netbox plugin that can be used to integrate with a SAML SSO system,

such as Okta.

*NOTE: This approach uses a reverse-proxy URL rewrite so that the standard Netbox Login will redirect

the User to the SSO system.  Please refer to the example [nginx.conf](nginx.conf) file.*

*NOTE: Netbox plugin for SSO, v2.0+, supports Netbox 2.8, 2.9, 2.10, 2.11, 3.0.

## System Requirements

You will need to install the [django3-auth-saml2](https://github.com/jeremyschulman/django3-auth-saml2)

into your Netbox environment.

## Netbox Configuration

In the `configuration.py` you will need to enable and configure these

`REMOTE_AUTH_xxx` options at a minimum:

```python

REMOTE_AUTH_ENABLED = True

REMOTE_AUTH_BACKEND = 'utilities.auth_backends.RemoteUserBackend'

# For v2.8+:

# REMOTE_AUTH_BACKEND = 'netbox.authentication.RemoteUserBackend'

# For backends included with this plugin:

# REMOTE_AUTH_BACKEND = 'django3_saml2_nbplugin.backends.'

REMOTE_AUTH_AUTO_CREATE_USER = True

````

You can also create the other options **REMOTE_AUTH_DEFAULT_GROUPS** and

**REMOTE_AUTH_DEFAULT_PERMISSIONS** as described in the online docs.

Next you will need to configure this plugin, provding your specific

configuraiton values as described in

[django3-okta-saml2](https://github.com/jeremyschulman/django3-okta-saml2)

repo, for example:

```python

PLUGINS = ['django3_saml2_nbplugin']

PLUGINS_CONFIG = {

    'django3_saml2_nbplugin': {

        # Use the Netbox default remote backend

        'AUTHENTICATION_BACKEND': REMOTE_AUTH_BACKEND,

        # Custom URL to validate incoming SAML requests against

        'ASSERTION_URL': 'https://netbox.company.com',

        # Populates the Issuer element in authn reques e.g defined as "Audience URI (SP Entity ID)" in SSO

        'ENTITY_ID': 'https://netbox.conpany.com/',

        # Metadata is required, choose either remote url

        'METADATA_AUTO_CONF_URL': "https://mycorp.okta.com/app/sadjfalkdsflkads/sso/saml/metadata",

        # or local file path

        'METADATA_LOCAL_FILE_PATH': '/opt/netbox/saml2.xml',

        # Settings for SAML2CustomAttrUserBackend. Optional.

        'CUSTOM_ATTR_BACKEND': {

            # See the note below about SAML attributes

            # Attribute containing the username. Optional.

            'USERNAME_ATTR': 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress',

            # Attribute containing the user's email. Optional.

            'MAIL_ATTR': 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress',

            # Attribute containing the user's first name. Optional.

            'FIRST_NAME_ATTR': 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname',

            # Attribute containing the user's last name. Optional.

            'LAST_NAME_ATTR': 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname',

            # Set to True to always update the user on logon

            # from SAML attributes on logon. Defaults to False.

            'ALWAYS_UPDATE_USER': False,

            # Attribute that contains groups. Optional.

            'GROUP_ATTR': 'http://schemas.microsoft.com/ws/2008/06/identity/claims/groups',

            # Dict of user flags to groups.

            # If the user is in the group then the flag will be set to True. Optional.

            'FLAGS_BY_GROUP': {

                'is_staff': 'saml-group1',

                'is_superuser': 'saml-group2'

            },

            # Dict of SAML groups to NetBox groups. Optional.

            # Groups must be created beforehand in NetBox.

            'GROUP_MAPPINGS': {

                'saml-group3': 'netbox-group'

            }

        }

    }

}

```

Please note that `METADATA_AUTO_CONF_URL` and `METADATA_LOCAL_FILE_PATH` are

mutually exclusive. Don't use both settings at the same time.

## Attributes

Newer versions of `pysaml2` uses an attribute map.

For example, instead of `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` in the configuration above, `emailAddress` should be used instead.

See [here](https://github.com/IdentityPython/pysaml2/tree/master/src/saml2/attributemaps) for details.

# New Plugin URLs

This plugin will provide two new URLs to Netbox:

`/api/plugins/sso/login/`


This URLs redirects the User login to the SSO system (Okta) for authentication.  This is the URL that needs

to be used in the reverse-proxy redirect, for examlple see [nginx.conf](nginx.conf#L35).





`/api/plugins/sso/acs/`


This URLs should be configured into your SSO system as the route to use to single-sign-on/redirection URL the User into Netbox

after the User has authenticated with the SSO system.

# Customizing on Create New User Configuration

If you want to customize the way a User is created, beyond what is provided by the

Netbox REMOTE_AUTH variables, you can create a custom RemoteBackend class.  See

the samples in [backends.py](django3_saml2_nbplugin/backends.py).

# Using A Reverse Proxy Redirect

The use of this plugin requires a reverse-proxy URL redirect to override the default Netbox `/login/` URL.  There

are two notes in this process:

   1.  You MAY need to disable port in redirect depending on your Netbox installation.  If your Netbox server URL

   does _not_ include a port, then you _must_ disable port redirect.  For example see [nginx.conf](nginx.conf#L19).

   1.  You MUST add the ULR rewrite for the `/login/` URL to use `/plugins/sso/login/`, for example [nginx.conf](nginx.conf#L35).

# Adding a SSO Login Button

Instead of using a reverse proxy redirect, you can add a SSO login button above

the NetBox login form. This has the added benefit of allowing both local

and SAML login options.

Add the following to your configuration.py:

```python

BANNER_LOGIN = 'Login with SSO'

```