SAML to Entra

[ataylor-orcsd-org]

Hello,

I'm getting Netbox set up to log in via SSO to EntraID. I have the connection working partially, but am running into some issues.

Currently I click the Login via SSO button on the home page, am redirected to Microsoft's servers, then back to Netbox. I then get a Server Error stating:
`A file permission error was detected while processing this request. Common causes include the following:

Insufficient write permission to the media root. The configured media root is . Ensure that the user NetBox runs as has access to write files to all locations within this path.

The complete exception is provided below:

<class 'PermissionError'>

SAML2 backend SAML2CustomAttrUserBackend missing attribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

Python version: 3.12.3
NetBox version: 4.3.0
Plugins:
django3_saml2_nbplugin: 2.0
netbox_branching: 0.5.4
netbox_floorplan: 0.7.0`

I have ensured the entire /opt/netbox directory is owned by netbox:netbox with 755 permissions. It looks like I'm missing a media root entirely, though I do have the line in my config.py MEDIA_ROOT = '/opt/netbox/netbox/media'.

I appreciate any thoughts you may have. Thanks!

[markkuleinio]

The error message is actually (the common causes guess for insufficient write permission is not correct in this case):

SAML2 backend SAML2CustomAttrUserBackend missing attribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

So check your configurations in Entra ID

[ataylor-orcsd-org]

I have that claim in Entra already. Unfortunately I don't see any typos either. Is there another variation I should add?

Thanks

[markkuleinio]

Right, does your user have an email address configured as well? Otherwise I don't have better ideas, someone else have always configured the EID side for me.

[necouchman]

Having just recently fought with this...and won...I think I can offer a solution. The key is actually in the documentation for the plugin:

Attributes

Newer versions of pysaml2 uses an attribute map.
For example, instead of http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress in the configuration above, emailAddress should be used instead.
See here for details.

The pysaml2 library actually does an automatic mapping of many of the attributes from the full claim name (http:///schemas...etc.) to shorter attribute names. This isn't optional, this is required if you're using the version of pysaml2 that includes this, so you must refer to the attributes by their short names. So, my configuration for this module ended up looking like this:

    "django3_saml2_nbplugin": {
        # Use the Netbox default remote backend
        'AUTHENTICATION_BACKEND': 'django3_saml2_nbplugin.backends.SAML2CustomAttrUserBackend',

        # Custom URL to validate incoming SAML requests against
        'ASSERTION_URL': 'https://netbox.company.com/api/plugins',

        # Populates the Issuer element in authn reques e.g defined as "Audience URI (SP Entity ID)" in SSO
        'ENTITY_ID': 'https://netbox.company.com/',

        # Metadata is required, choose either remote url
        'METADATA_AUTO_CONF_URL': 'https://login.microsoftonline.com/<REDACTED>',

        # Settings for SAML2CustomAttrUserBackend. Optional.
        'CUSTOM_ATTR_BACKEND': {
            # Attribute containing the username. Optional.
            'USERNAME_ATTR': 'name',
            # Attribute containing the user's email. Optional.
            'MAIL_ATTR': 'emailAddress',
            # Attribute containing the user's first name. Optional.
            'FIRST_NAME_ATTR': 'givenName',
            # Attribute containing the user's last name. Optional.
            'LAST_NAME_ATTR': 'surname',
            # Set to True to always update the user on logon
            # from SAML attributes on logon. Defaults to False.
            'ALWAYS_UPDATE_USER': True,
            # Attribute that contains groups. Optional.
            'GROUP_ATTR': 'http://schemas.microsoft.com/ws/2008/06/identity/claims/groups',
        }
    }

Note that it does not appear that the "groups" claim is translated ("group", singular is, "groups", plural, is not), so you'll need the full attribute name for group mapping.