SAML Authentication

[lampwins]

Issue type

[ x ] Feature request
[ ] Bug report
[ ] Documentation

Description

My employer is currently going through a large push to use SAML for application authentication. As such, I would like to implement SAML for netbox. I have several django projects similar to (and sometimes based on the core of) netbox which I am currently working on SAML integration, so it would be rather trivial to contribute it back.

This was first brought up in #118 but I also agree with the decision to close that issue for being too broad and under defined. This request covers only the addition of SAML support for authentication and no other use case.

Let me be clear in saying this is something I am 100% willing to do the work on myself.

I see it looking very similar to the LDAP support, in that it is a bolt on that a user must enable themselves. This would most likely be using djangosaml2

[Eric2XU]

I too need this feature to use with Azure SAML. I also am willing to pitch in (although most of this is above my head). I am willing to help be a tester and perhaps contribute where I can. Please keep me in the loop.

SAML is preferred but like I said a little over my head. My other thought was to get Kerberos SSO working on Apache then figure out a way to get Netbox to use the authenticated user object created by Apache although that is where I would have a hard time figuring out where in the code base to change (while I know other languages py isn't one I know so I would be winging it). https://active-directory-wp.com/docs/Networking/Single_Sign_On/Kerberos_SSO_with_Apache_on_Linux.html Since I use Azure, I can route traffic through the Azure proxy which will automatically pass the kerberos creds to Apache

[explody]

Check this out. https://github.com/explody/netbox/blob/basic_saml_support/README_SAML.md

It may need some additional tweaking before submitting a PR but it's working for us currently.

[lampwins]

@explody are you okay with me working on that a bit?

[explody]

Certainly. It's entirely functional for us, but we also sort of threw the structure of it together - naming and location of vars and configs, etc. I was thinking it could use some tidying up before a PR, just haven't gotten back to it yet.

Commits are here in case it wasn't immediately obvious: https://github.com/explody/netbox/commits/basic_saml_support

[rhysjtevans]

Hi @explody, great work! Quick question how do you differentiate users to different groups?

I'd be interested in mapping an Active Directory group membership to a netbox group via SAML

[girlpunk]

@explody Just tried that on my install, I think the documentation needs a little tweaking, but overall it works well. I'd agree with @rhysjtevans as well, would be nice if AD groups could set edit permissions.

[explody]

We need group support as well, and are intending to get to it as soon as possible (can't say when though).

re:Docs, let me know what needs tweaking, I'm happy to include improvements.

[pcabido]

@explody great work on this. I've done something similar with django_saml2_auth and Okta, wasn't too hard but I like what you did here, it's a lot more complete then my hack. I encourage you to make the PR and commit upstream. SAML support is only more common now a days and I believe a lot of users would benefit from your work.

I'd also suggest using or documenting how to use the metadata auto config url, Okta for example supports that and it makes things easier.

[01000101]

+1 for adding group support. Our organization just set this up with SAML but can't find a way to pass in group information.

[LukeDRussell]

@jeremystretch You've labelled this as accepted. Does that mean @lampwins has the OK to submit a PR (assuming he is still keen)?

[DouglasHeriot]

This is a feature we need to, to use with Okta. We’re about to start working on this as it’s been marked as accepting pull requests – does that sound good, or should we go for the #2328 option instead and put our work there?

[anthonyeden]

Hi all,

Just letting you know I've begun work on SAML2 Authentication for NetBox. You can see my draft pull request here: #3010

There's still more work to be done, but I'd appreciate any feedback on my approach thus far.

[jeremystretch]

Given the prevalence of issues following the introduction of LDAP authentication support and the overall burden of maintaining multiple remote authentication mechanisms, the maintainers have decided to pursue instead support for generic remote authentication handled by the HTTP frontend (see #2328). This will greatly simplify the logic needed by NetBox, as well as offer the most flexibility to the end user around what mechanisms are supported and how they can be configured.