Access Denied error after Okta authentication

[Philip Richards]

I have a nearly (I think) working setup using Okta for SAML authentication. Hopefully someone with expertise in this subject will be able to assist me with the following issue.

The Okta authentication seems to work seems to work fine but then I'm returned to NetBox with the errors "Access Denied" and "You do not have permission to access this page".

I'm running Netbox 3.0.2 with the "Netbox Plugin for SSO using SAML2" and "Django3 Auth SAML2 Integration" plugins installed.

In Okta the URLs are configured as below :-

SSO URL https://netbox-xxx/api/plugins/sso/acs

Receipient URL https://netbox-xxx/api/plugins/sso/acs

Destination URL https://netbox-xxx/api/plugins/sso/acs

Audience Redirection https://netbox-xxx

In NetBox I have REMOTE_AUTH_BACKEND set to "django3_saml2_nbplugin.backends.SAML2CustomAttrUserBackend". Not completely sure if this correct or not.

After the Okta authentication has completed successfully I'm directed to the page "https://netbox-xxx/api/plugins/sso/acs" but with the access denied error.

Should it be returning me to SSO URL or should it be returning me to the front page? Or Is this page correct but there is a permissions problem?

I've tried adjusting the URLs in Okta but without any success. 

Any advice would be gratefully received. This is all a new subject to me I may be doing something fundamentally wrong.

Thanks

Phil

[Pieter Lambrecht]

Philip,

Make sure that OKTA return group names, and that those groups exists in netbox/admin/groups.

Example of my working configuration.py : 

# Remote authentication support

REMOTE_AUTH_ENABLED = True

REMOTE_AUTH_BACKEND = 'django3_saml2_nbplugin.backends.SAML2CustomAttrUserBackend'

REMOTE_AUTH_HEADER = 'HTTP_REMOTE_USER'

REMOTE_AUTH_AUTO_CREATE_USER = True

REMOTE_AUTH_DEFAULT_GROUPS = ['']

REMOTE_AUTH_DEFAULT_PERMISSIONS = {}

PLUGINS = ['django3_saml2_nbplugin']

PLUGINS_CONFIG = {

    'django3_saml2_nbplugin': {

        # Use the Netbox default remote backend

        'AUTHENTICATION_BACKEND': REMOTE_AUTH_BACKEND,

        # Custom URL to validate incoming SAML requests against

        'ASSERTION_URL': 'https://netbox.cloud',

        # Populates the Issuer element in authn reques e.g defined as "Audience URI (SP Entity ID)" in SSO

        'ENTITY_ID': 'https://netbox.cloud/',

        # Metadata is required, choose either remote url

        'METADATA_AUTO_CONF_URL': "https://abc.okta-emea.com/app/someuniquecode/sso/saml/metadata",

        # Settings for SAML2CustomAttrUserBackend. Optional.

        'CUSTOM_ATTR_BACKEND': {

            # Attribute containing the username. Optional.

            'USERNAME_ATTR': 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/username',

            # Attribute containing the user's email. Optional.

            'MAIL_ATTR': 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress',

            # Attribute containing the user's first name. Optional.

            'FIRST_NAME_ATTR': 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname',

            # Attribute containing the user's last name. Optional.

            'LAST_NAME_ATTR': 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname',

            # Set to True to always update the user on logon

            # from SAML attributes on logon. Defaults to False.

            'ALWAYS_UPDATE_USER': True,

            # Attribute that contains groups. Optional.

            'GROUP_ATTR': 'http://schemas.microsoft.com/ws/2008/06/identity/claims/groups',

            # Dict of user flags to groups.

            # If the user is in the group then the flag will be set to True. Optional.

            'FLAGS_BY_GROUP': {

                'is_staff': 'role-sg-netbox-admins',

                'is_superuser': 'role-sg-netbox-admins'

            },

            # Dict of SAML groups to NetBox groups. Optional.

            # Groups must be created beforehand in NetBox.

            'GROUP_MAPPINGS': {

                'role-sg-netbox-users': 'role-sg-netbox-users'

            }

        }

    }

}

In OKTA, make sure to set the 'Name Format' of the attributes to 'URI Reference' and use the URI's of above

Hope it helps !

Pieter

Op donderdag 4 november 2021 om 15:57:01 UTC+1 schreef Philip Richards:

[Philip Richards]

Pieter,

Thanks for your reply. Its still not working for me though.

To my untrained eye everything looks to match between Okta and NetBox.

My Okta settings are currently as below :-

My configuration.py is as below :-

My Okta expert thinks it look ok. However I'm still getting the 403. 

Looking at the message file entries for the failed attempts I get a number of "SAML2: missing response" errors from django3_auth_saml2.view.

There is a SAMLresponse in the SAML tracer but I guess that NetBox isn't happy with what it is receiving?

Any other thoughts? Any idea greatly received. 

Thanks

Phil

[Philip Richards]

Got it working - finally managed to get an acceptable combination of URLs - with and without trailing slashes.

Within Okta my URLs were below :

Single Sign On URL https://netbox-test.xxx/sso/acs/

Recipient URL https://netbox-test.xxx/

Destination URL https://netbox-test.xxx/sso/acs/

Audience Restriction https://netbox-test.xxx.com

And also I needed set both "Response" and "Assertion Signature" to "signed". 

And then it all magically worked.