netbox-plugin-auth-saml2 icon indicating copy to clipboard operation
netbox-plugin-auth-saml2 copied to clipboard

Published 20 hours ago verified publisher icon jeremyschulman

ADFS: fail to find attributs ('NoneType' object has no attribute 'text')

Open jclbc opened this issue 2 years ago • 1 comments

Hello, I'm runing Netbox v3.4.1 (could you please confirm this version is ok?)

ADFS authentication fails with this error:

AttributeError at /api/plugins/sso/acs/ 'NoneType' object has no attribute 'text' Request Method: POST Request URL: https://netbox.mycompany.local/api/plugins/sso/acs/ Django Version: 4.1.4 Exception Type: AttributeError Exception Value: 'NoneType' object has no attribute 'text' Exception Location: /opt/netbox-3.4.1/venv/lib/python3.8/site-packages/django3_auth_saml2/views.py, line 106, in sso_acs Raised during: django3_auth_saml2.views.sso_acs Python Executable: /opt/netbox-3.4.1/venv/bin/python3 Python Version: 3.8.10 Python Path: ['/opt/netbox/netbox', '/opt/netbox-3.4.1', '/opt/netbox-3.4.1/venv/bin', '/usr/lib/python38.zip', '/usr/lib/python3.8', '/usr/lib/python3.8/lib-dynload', '/opt/netbox-3.4.1/venv/lib/python3.8/site-packages'] Server time: Thu, 02 Mar 2023 09:57:13 +0000

authn_response.parse_assertion() user_name = authn_response.name_id.text

It's look like it fails to parse saml response to find "name_id

here the SAML response (from ADFS debug):

{Subject}{SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"}{SubjectConfirmationData InResponseTo="id-H9j3h0AzzPt4XZHje" NotOnOrAfter="2023-02-24T15:30:48.629Z" Recipient="https://netbox.mycompany.local/sso/acs/" /}{/SubjectConfirmation}{/Subject} {Conditions NotBefore="2023-02-24T15:25:48.613Z" NotOnOrAfter="2023-02-24T16:25:48.613Z"} {AudienceRestriction}{Audience}https://netbox.mycompany.local/{/Audience}{/AudienceRestriction}{/Conditions} {AttributeStatement} {Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"}{AttributeValue}[email protected]{/AttributeValue}{/Attribute} {Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"}{AttributeValue}Julien{/AttributeValue}{/Attribute} {Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"}{AttributeValue}doe{/AttributeValue}{/Attribute} {Attribute Name="http://schemas.xmlsoap.org/claims/Group"} {AttributeValue}Utilisa. du domaine{/AttributeValue} {AttributeValue}G-NETBOX-ADM{/AttributeValue} {/Attribute}{/AttributeStatement}

my config file:

PLUGINS = ['django3_saml2_nbplugin'] REMOTE_AUTH_BACKEND = 'netbox.authentication.RemoteUserBackend' or (same result) REMOTE_AUTH_BACKEND = 'django3_saml2_nbplugin.backends.SAML2CustomAttrUserBackend'

REMOTE_AUTH_HEADER = 'HTTP_REMOTE_USER' REMOTE_AUTH_AUTO_CREATE_USER = True REMOTE_AUTH_DEFAULT_GROUPS = [] REMOTE_AUTH_DEFAULT_PERMISSIONS = {}

PLUGINS_CONFIG = { 'django3_saml2_nbplugin': { # Use the Netbox default remote backend 'AUTHENTICATION_BACKEND': REMOTE_AUTH_BACKEND, # Custom URL to validate incoming SAML requests against 'ASSERTION_URL': 'https://netbox.mycompany.local', # Populates the Issuer element in authn reques e.g defined as "Audience URI (SP Entity ID)" in SSO 'ENTITY_ID': 'https://netbox.mycompany.local/', # Metadata is required, choose either remote url 'METADATA_AUTO_CONF_URL': "https://sts.mycompany.com/FederationMetadata/2007-06/FederationMetadata.xml", # or local file path #'METADATA_LOCAL_FILE_PATH': '/opt/netbox/saml2.xml', # Settings for SAML2CustomAttrUserBackend. Optional. 'CUSTOM_ATTR_BACKEND': { # See the note below about SAML attributes # Attribute containing the username. Optional. 'USERNAME_ATTR': 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn', # Attribute containing the user's email. Optional. 'MAIL_ATTR': 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn', # Attribute containing the user's first name. Optional. 'FIRST_NAME_ATTR': 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname', # Attribute containing the user's last name. Optional. 'LAST_NAME_ATTR': 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname', # Set to True to always update the user on logon # from SAML attributes on logon. Defaults to False. 'ALWAYS_UPDATE_USER': False, # Attribute that contains groups. Optional. 'GROUP_ATTR': 'http://schemas.xmlsoap.org/claims/Group', # Dict of user flags to groups. # If the user is in the group then the flag will be set to True. Optional. 'FLAGS_BY_GROUP': { 'is_staff': 'G-NETBOX-ADM', 'is_superuser': 'G-NETBOX-ADM' }, # Dict of SAML groups to NetBox groups. Optional. # Groups must be created beforehand in NetBox. 'GROUP_MAPPINGS': { 'G-NETBOX-ADM': 'G-NETBOX-ADM' } } } }

thanks for your help! Julien

jclbc avatar Mar 02 '23 10:03 jclbc

add upn as name id in adfs claims

jclbc avatar Mar 03 '23 11:03 jclbc