Skip to main content

Netbox plugin for SAML2 auth

Project description

Netbox Plugin for SSO using SAML2

Netbox 2.8 provides enhancements to support remote user authentication uses specific variables defined in the configuration.py file, as described here:

https://netbox.readthedocs.io/en/stable/configuration/optional-settings/

This repository provides a Netbox plugin that can be used to integrate with a SAML SSO system, such as Okta.

NOTE: This approach uses a reverse-proxy URL rewrite so that the standard Netbox Login will redirect the User to the SSO system. Please refer to the example nginx.conf file.

*NOTE: Netbox plugin for SSO, v2.0+, supports Netbox 2.8, 2.9, 2.10, 2.11, 3.0.

*NOTE: Netbox plugin for SSO, v3.0+, supports Netbox 4.0.

System Requirements

You will need to install the django3-auth-saml2 into your Netbox environment.

Netbox Configuration

In the configuration.py you will need to enable and configure these REMOTE_AUTH_xxx options at a minimum:

REMOTE_AUTH_ENABLED = True
REMOTE_AUTH_BACKEND = 'utilities.auth_backends.RemoteUserBackend'
# For v2.8+:
# REMOTE_AUTH_BACKEND = 'netbox.authentication.RemoteUserBackend'
# For backends included with this plugin:
# REMOTE_AUTH_BACKEND = 'django3_saml2_nbplugin.backends.<Backend>'
REMOTE_AUTH_AUTO_CREATE_USER = True

You can also create the other options REMOTE_AUTH_DEFAULT_GROUPS and REMOTE_AUTH_DEFAULT_PERMISSIONS as described in the online docs.

Next you will need to configure this plugin, provding your specific configuraiton values as described in django3-okta-saml2 repo, for example:

PLUGINS = ['django3_saml2_nbplugin']

PLUGINS_CONFIG = {
    'django3_saml2_nbplugin': {

        # Use the Netbox default remote backend
        'AUTHENTICATION_BACKEND': REMOTE_AUTH_BACKEND,

        # Custom URL to validate incoming SAML requests against
        'ASSERTION_URL': 'https://netbox.company.com',

        # Populates the Issuer element in authn reques e.g defined as "Audience URI (SP Entity ID)" in SSO
        'ENTITY_ID': 'https://netbox.conpany.com/',

        # Metadata is required, choose either remote url
        'METADATA_AUTO_CONF_URL': "https://mycorp.okta.com/app/sadjfalkdsflkads/sso/saml/metadata",
        # or local file path
        'METADATA_LOCAL_FILE_PATH': '/opt/netbox/saml2.xml',

        # Settings for SAML2CustomAttrUserBackend. Optional.
        'CUSTOM_ATTR_BACKEND': {
            # See the note below about SAML attributes

            # Attribute containing the username. Optional.
            'USERNAME_ATTR': 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress',
            # Attribute containing the user's email. Optional.
            'MAIL_ATTR': 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress',
            # Attribute containing the user's first name. Optional.
            'FIRST_NAME_ATTR': 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname',
            # Attribute containing the user's last name. Optional.
            'LAST_NAME_ATTR': 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname',
            # Set to True to always update the user on logon
            # from SAML attributes on logon. Defaults to False.
            'ALWAYS_UPDATE_USER': False,
            # Attribute that contains groups. Optional.
            'GROUP_ATTR': 'http://schemas.microsoft.com/ws/2008/06/identity/claims/groups',
            # Dict of user flags to groups.
            # If the user is in the group then the flag will be set to True. Optional.
            'FLAGS_BY_GROUP': {
                'is_staff': 'saml-group1',
                'is_superuser': 'saml-group2'
            },
            # Dict of SAML groups to NetBox groups. Optional.
            # Groups must be created beforehand in NetBox.
            'GROUP_MAPPINGS': {
                'saml-group3': 'netbox-group'
            }
        }
    }
}

Please note that METADATA_AUTO_CONF_URL and METADATA_LOCAL_FILE_PATH are mutually exclusive. Don't use both settings at the same time.

Attributes

Newer versions of pysaml2 uses an attribute map. For example, instead of http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress in the configuration above, emailAddress should be used instead.

See here for details.

New Plugin URLs

This plugin will provide two new URLs to Netbox:

/api/plugins/sso/login/
This URLs redirects the User login to the SSO system (Okta) for authentication. This is the URL that needs to be used in the reverse-proxy redirect, for examlple see nginx.conf.

/api/plugins/sso/acs/
This URLs should be configured into your SSO system as the route to use to single-sign-on/redirection URL the User into Netbox after the User has authenticated with the SSO system.

Customizing on Create New User Configuration

If you want to customize the way a User is created, beyond what is provided by the Netbox REMOTE_AUTH variables, you can create a custom RemoteBackend class. See the samples in backends.py.

Using A Reverse Proxy Redirect

The use of this plugin requires a reverse-proxy URL redirect to override the default Netbox /login/ URL. There are two notes in this process:

  1. You MAY need to disable port in redirect depending on your Netbox installation. If your Netbox server URL does not include a port, then you must disable port redirect. For example see nginx.conf.
  2. You MUST add the ULR rewrite for the /login/ URL to use /plugins/sso/login/, for example nginx.conf.

Adding a SSO Login Button

Instead of using a reverse proxy redirect, you can add a SSO login button above the NetBox login form. This has the added benefit of allowing both local and SAML login options.

Add the following to your configuration.py:

BANNER_LOGIN = '<a href="/api/plugins/sso/login" class="btn btn-primary btn-block">Login with SSO</a>'

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

netbox-plugin-auth-saml2-3.0.tar.gz (6.1 kB view details)

Uploaded Source

Built Distribution

netbox_plugin_auth_saml2-3.0-py3-none-any.whl (6.9 kB view details)

Uploaded Python 3

File details

Details for the file netbox-plugin-auth-saml2-3.0.tar.gz.

File metadata

File hashes

Hashes for netbox-plugin-auth-saml2-3.0.tar.gz
Algorithm Hash digest
SHA256 6efa64d170d299a511979d4f41a1961c8ecfa8165c84de0a68359c0caac73a43
MD5 0e2da30be213782d4f92565eadef9091
BLAKE2b-256 f4e602a2cf2660ff0684ed91b60e56ed931388a41f596945b63a7c3ebe2e9a8b

See more details on using hashes here.

File details

Details for the file netbox_plugin_auth_saml2-3.0-py3-none-any.whl.

File metadata

File hashes

Hashes for netbox_plugin_auth_saml2-3.0-py3-none-any.whl
Algorithm Hash digest
SHA256 8e151694047b27fb4654ced009c95ae272c15123c160c1dfb8df9218aeb40931
MD5 b8b36f653141509c529eca70cf889321
BLAKE2b-256 43cc4e3de66ad22335fc9797325bbd56d424e2514994c37b6486ab71d9397646

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page