Replies: 6 comments 7 replies
-
I couldn't get group sync to work with the python-social-auth stuff, but it's working with RemoteUserBackend. I run Netbox configuration
Also, you need to create groups in Netbox called "netbox:access", "netbox:staff" and "netbox:superuser" manually, before you turn on REMOTE_AUTH_ENABLED. Apache configuration
Keycloak configurationI use Keycloak client roles, rather than groups, to control Netbox. This is more flexible, since you can add client roles to one or more groups as well as to individual users; it means the policy of who can do what is centralised in Keycloak, and Netbox doesn't know or care. To create the client:
You can add these roles selectively to groups. For example, if you have an "Admin" group which needs them all:
You also have to configure Keycloak to expose these roles as a flat list in the ID token:
Use
Groups and rolesWith this config, only users with "netbox:access" role are allowed to see Netbox, and the staff/superuser privileges work as expected. You can also create other roles which will sync as Netbox groups. (Note: these groups aren't created automatically in Netbox; I saw a patch which added You don't have to prefix the role names with "netbox:". I just did so to make it clear what they were for (and because I was using groups instead of client roles previously) You don't have to use the client roles if you don't want. You should be able to configure Keycloak to expose a 'groups' claim in the ID token, and modify the Apache config to use that. But then Netbox will need to see lots of groups that it doesn't care about; and you'll have to configure in Netbox itself the policy of which organizational groups are allowed to do what. Aside: Since getting it to work with Keycloak, I've moved to using Vault as OIDC provider. That doesn't have any concept of "roles" so I'm using groups for that. Its web UI isn't as good as Keycloak for user management, but on the plus side it doesn't use java so it's much more lightweight, and it offers a whole bunch of other functionality including an SSH certificate authority. |
Beta Was this translation helpful? Give feedback.
-
Yes, this should work. You need to tell Netbox configure.py which header is used for the group info (eg. X-MyGroups or isMemberOf) and what record separator is used when the identity is members of multiple groups (eg, ',' or ':' or whatever) then you need to create matching group names in Netbox, you can also specify in configure.py a group that should toggle the Staff or Superuser bit, which is in the docs. If it's not clear which header has the info then you can tcpdump/wireshark the connection between the https proxy server and the http uWSGI/gunicorn process manager or create a dummy CGI that just prints out the environment so you can see exactly what is being passed to the application from the http server
eg. from my ansible config
REMOTE_AUTH_ENABLED: True
REMOTE_AUTH_BACKEND: "netbox.authentication.RemoteUserBackend"
REMOTE_AUTH_HEADER: 'HTTP_X_MYAUTH' #REMOTE_USER is also common
REMOTE_AUTH_GROUP_HEADER: 'HTTP_X_MYGROUPS' #this may be auth-provider specific
REMOTE_AUTH_GROUP_SEPARATOR: ';'
REMOTE_AUTH_GROUP_SYNC_ENABLED: True
REMOTE_AUTH_AUTO_CREATE_USER: True
REMOTE_AUTH_DEFAULT_GROUPS:
- my:saml:group1
REMOTE_AUTH_STAFF_GROUPS:
- my:saml:group2
REMOTE_AUTH_SUPERUSER_GROUPS:
- my:saml:group3
REMOTE_AUTH_DEFAULT_PERMISSIONS: {}
Simple test CGI (do not leave on an active public server so it doesn't give away info you don't want)
#! /usr/bin/perl -T
use warnings;
use strict;
use CGI;
use Data::Dumper;
$Data::Dumper::Sortkeys=1;
my $cgi = CGI->new();
print $cgi->header('text/plain');
print(Dumper($ENV));
—
Mark Tinberg ***@***.***>
Division of Information Technology-Network Services
University of Wisconsin-Madison
…________________________________
From: Gerard ***@***.***>
Sent: Thursday, June 30, 2022 7:39 AM
To: netbox-community/netbox ***@***.***>
Cc: Subscribed ***@***.***>
Subject: [netbox-community/netbox] Any way to sync groups with SSO? (Discussion #9635)
I have configured Netbox to authenticate against Keycloak and that works very well, there only doesn't seem to be a way to sync groups and/or assign staff/superuser based on group membership.
With the RemoteUserBackend you can set which HTTP header contains groups and which groups grant superuser or staff status. The token I authenticate with includes the groups, but I can't figure out how to make them sync.
Is this possible at all?
—
Reply to this email directly, view it on GitHub<#9635>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AAS7UM3Z75TUUT3RDFHD7MDVRWIQJANCNFSM52JGYPWQ>.
You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
Based on the discussion here it looks like I need a webserver module to get group information into netbox when using an external authentication provider. Is that correct? Has anyone gotten it to work using the build-in SSO setup? |
Beta Was this translation helpful? Give feedback.
-
I know this thread is old, but did anyone find a way to do this? We are also trying to sync groups using |
Beta Was this translation helpful? Give feedback.
-
I ended up using mod_auth_oidc with Apache and then the REMOTE_AUTH plugin for netbox. |
Beta Was this translation helpful? Give feedback.
-
@jschewebbn @jose-hernandez2 "netbox.sso_pipeline_roles.set_role" points to /opt/netbox/netbox/sso_pipeline_roles.py Create a python script file as /opt/netbox/netbox/netbox/sso_pipeline_roles.py set_role() in sso_pipeline_roles.py will parse SSO user groups passed from IdP and add the user to local netbox groups. My version is at https://github.com/marsteel/netbox-docker/blob/release/.netbox/netbox/netbox/sso_pipeline_roles.py. |
Beta Was this translation helpful? Give feedback.
-
I have configured Netbox to authenticate against Keycloak and that works very well, there only doesn't seem to be a way to sync groups and/or assign staff/superuser based on group membership.
With the RemoteUserBackend you can set which HTTP header contains groups and which groups grant superuser or staff status. The token I authenticate with includes the groups, but I can't figure out how to make them sync.
Is this possible at all?
Beta Was this translation helpful? Give feedback.
All reactions