Custom Pipeline for Azure SSO Groups

[TimoHess]

Hello. I tried setting up Azure SSO with oauth2. This is working. Now I try to assign the special groups from Azure groups to Netbox.

I tried already different custom pipelines. For example this one: #9216 (#9216 )

All I get is this error message:

I set up the pipeline as followed:

In configuration.py:

REMOTE_AUTH_BACKEND = 'social_core.backends.azuread.AzureADOAuth2'
REMOTE_AUTH_HEADER = 'HTTP_REMOTE_USER'
REMOTE_AUTH_USER_FIRST_NAME = 'HTTP_REMOTE_USER_FIRST_NAME'
REMOTE_AUTH_USER_LAST_NAME = 'HTTP_REMOTE_USER_LAST_NAME'
REMOTE_AUTH_USER_EMAIL = 'HTTP_REMOTE_USER_EMAIL'
REMOTE_AUTH_AUTO_CREATE_USER = True
REMOTE_AUTH_DEFAULT_PERMISSIONS = {}
# Azure Oauth2 SSO Secret Keys:
SOCIAL_AUTH_AZUREAD_OAUTH2_KEY = 'SECRET'
SOCIAL_AUTH_AZUREAD_OAUTH2_SECRET = 'SECRET'
SOCIAL_AUTH_REDIRECT_IS_HTTPS = True
REMOTE_AUTH_DEFAULT_GROUPS = '{}'
SOCIAL_AUTH_CLEAN_USERNAMES = False
SOCIAL_AUTH_AZUREAD_OAUTH2_DEFAULT_SCOPE = [
    "openid",
    "profile",
    "user_impersonation",
    "email",
    "groups",
]
SOCIAL_AUTH_AZUREAD_OAUTH2_EXTRA_DATA = [
    ("groups", "groups")
]
SOCIAL_AUTH_PIPELINE = [
        'social_core.pipeline.social_auth.social_details',
        'social_core.pipeline.social_auth.social_uid',
        'social_core.pipeline.social_auth.social_user',
        'social_core.pipeline.user.get_username',
        'social_core.pipeline.social_auth.associate_by_email',
        'social_core.pipeline.user.create_user',
        'social_core.pipeline.social_auth.associate_user',
        'netbox.authentication.user_default_groups_handler',
        'social_core.pipeline.social_auth.load_extra_data',
        'social_core.pipeline.user.user_details',
        'netbox.azuread-oauth2-groups.set_role'
]
REMOTE_AUTH_AUTO_CREATE_GROUPS = True

azuread-oauth2-groups.py:

from django.contrib.auth.models import Group

class AuthFailed(Exception):
    pass

def set_role(response, user, backend, *args, **kwargs):
    '''
    Get roles from JWT
    Assign user to netbox group matching role
    Also set is_superuser or is_staff for special roles 'superusers' and 'staff'
    '''
    try:
        roles = response['roles']
    except KeyError:
        user.groups.clear()
        raise AuthFailed("No role assigned")

    try:
        user.is_superuser = False
        user.is_staff = False

        for role in roles:
            if role == 'Netbox.Admin':
                user.is_superuser = True
                user.save()
                continue
            if role == 'Netbox.RW':
                user.is_staff = True
                user.save()
                continue

            group, created = Group.objects.get_or_create(name=role)
            group.user_set.add(user)
    except Group.DoesNotExist:
        pass

I hope somebody can help me with assigning the special roles. I also tried groups without a dot and I get the same error.

[netravnen]

Notes

1. Edit: The example is valid for Netbox < 4.0.0
2. Edit: Inline edits have been added for the changes necessary for the example to work in 4.0.11
3. The roles returned to Netbox are defined under the Azure Application (OIDC) in Microsoft Entra ID Centre (link)
4. This setup expects the role returned to be identical (Case-Sensitive!) to our group name(s) in Netbox. If groups are to be assigned to the Netbox user.
   • If 'readonly' are returned from the OIDC-App. This could be mapped to a Netbox group using the following logic in the for-loop.

     # Match the string (aka. role).
     if role == 'readonly':
         # Add the user to the specified Netbox group (must have been manually created beforehand)
         user.groups.add(Group.objects.get(name='ReadOnlyAccess'))

   • Or have a group in Netbox called 'readonly' (i.e. The Netbox Group name matches 1:1 the role string configured under & return, at login, by the OIDC-App)
5. To avoid Auth problems ('No role returned'). You could assign a dummy group, that does not give any permissions in Netbox, to all domain users. This will give the user permission to log into Netbox and have a Netbox account auto-created. Without being given any actual access to any Netbox data.
   • Else, you will have to look into error handling when Auth Pipeline fails. If you want the failure to be handled differently.

Custom Pipeline

# configuration/netbox-custom-pipeline.py

# Netbox < 4.0.0
from django.contrib.auth.models import Group

# Netbox >= 4.0.0
#from netbox.authentication import Group

class AuthFailed(Exception):

    pass

def set_role(response, user, backend, *args, **kwargs):

    '''
    Get roles from JWT. Assign user to netbox group matching role name returned
    by the OIDC Application. Also set is_superuser or is_staff for special roles
    and special user accounts dedicated for ADMIN purposes.
    '''
    try:

        '''
        Take the role object from the OIDC response and assign to variable.
        '''
        roles = response['roles']

        '''
        Take the email object from the OIDC response and assign to variable.
        We use this later to assign superuser permissions in Netbox if group
        membership exists for the account and special ADMIN accounts are used.
        '''
        email = response['upn']

    except KeyError:

        '''
        We throw this error if the application has no roles assigned to it
        in Microsoft Entra ID OIDC to this specific application ID we use to
        validate out application against Azure AD.
        https://learn.microsoft.com/en-us/entra/identity-platform/howto-add-app-roles-in-apps
        '''
        raise AuthFailed("No role assigned to your user account from the configured Auth Provider")

    '''
    Ensure we clear group memberships before starting the pipeline. Ensuring
    we always assign only current group memberships as retrieved from our auth
    provider. This ensures we add and remove group memberships in Netbox that
    have been updated in our App Role(s).
    '''
    user.groups.clear()

    try:

        '''
        Set the superuser and staff role to false by default. Overwrite below if
        specific roles are assigned to the user via direct or group membership.
        https://demo.netbox.dev/static/docs/installation/6-ldap/#user-groups-for-permissions

        Superuser: This permission overrides all permission delegated with groups and permissions
                   to the user account. And gives full access to everything.
        Staff: Enable access to the Admin panel in Netbox
        '''
        user.is_superuser = False
        user.is_staff = False

        for role in roles:

            '''
            We default to enabling the staff permission for users in the Netbox-Admins group.
            '''
            if role == 'Netbox-Admins':

                '''
                Only enable the built-in superuser permission for special purpose accounts starting
                with ADMIN.

                OPTIONAL
                Raise an authentication error message if a non-ADMIN user is member of the Netbox-Admins
                group and tries to login.
                '''
                if email.startswith('adm') == True:
                    user.is_superuser = True
                else:
                    '''
                    OPTIONAL
                    Depending on requirements, you CAN throw an error if a user does match the above
                    criteria were assigned to this group and tries to login into Netbox.
                    If not required. Remove this else clause.
                    '''
                    raise AuthFailed("Superuser group membership incorrectly delegated to non-ADMIN user")
                    break

                user.is_staff = True

            group, created = Group.objects.get_or_create(name=role)
            # Netbox < 4.0.0
            group.user_set.add(user)
            # Netbox >= 4.0.0
            #group.users.add(user)

        '''
        Save the permissions we modified. This needs to be after the for-loop. If multiple roles are
        returned and we save while looping through the roles. Only the last assigned role to the user
        is saved (the rest is overwritten).
        '''
        user.save()

    except Group.DoesNotExist:

        pass

Extra configuration

# configuration/extra-configuration.py

'''
Do not auto-create groups. Configured Netbox groups must match 1:1 the role-names
return from the Auth Provider App we setup for Netbox.
'''
REMOTE_AUTH_AUTO_CREATE_GROUPS = False

'''
Auto create users if validated by our Auth Provider
'''
REMOTE_AUTH_AUTO_CREATE_USER = True

REMOTE_AUTH_BACKEND = 'social_core.backends.azuread.AzureADOAuth2'

'''
Do not assign any permissions by default. We rely on the group permissions and roles
set by our Auth Provider App.
'''
REMOTE_AUTH_DEFAULT_GROUPS = []
REMOTE_AUTH_DEFAULT_PERMISSIONS = {}
REMOTE_AUTH_STAFF_GROUPS = []
REMOTE_AUTH_SUPERUSER_GROUPS = []

REMOTE_AUTH_ENABLED = True

'''
We need to explicitly request information concerning assigned roles to the user. The built in
configured for AzureADOAuth2 in Netbox does not include this scope out of the box.
'''
SOCIAL_AUTH_AZUREAD_OAUTH2_EXTRA_DATA = [('roles','roles')]

SOCIAL_AUTH_AZUREAD_OAUTH2_KEY = '****************************'
SOCIAL_AUTH_AZUREAD_OAUTH2_SECRET = '**************************'

'''
Only allow users with these mail domains to log in. Measure to avoid external
users added to our Azure organization can log into Netbox with non-corp E-Mail address.
'''
SOCIAL_AUTH_AZUREAD_WHITELISTED_DOMAINS = ['example.com','example.org']

'''
Enforce HTTPS redirect.
'''
SOCIAL_AUTH_REDIRECT_IS_HTTPS = True

'''
Set the username the same as the E-mail address. AzureADOAuth2 defaults to username
format FirstLastname by default.
'''
SOCIAL_AUTH_USERNAME_IS_FULL_EMAIL = True

'''
Our pipeline
'''
SOCIAL_AUTH_PIPELINE = (
    'social_core.pipeline.social_auth.social_details',
    'social_core.pipeline.social_auth.social_uid',
    'social_core.pipeline.social_auth.auth_allowed',
    'social_core.pipeline.social_auth.social_user',
    'social_core.pipeline.user.get_username',
    # Look up existing users by E-mail. As we trust our Corp Azure AD
    'social_core.pipeline.social_auth.associate_by_email',
    'social_core.pipeline.user.create_user',
    'social_core.pipeline.social_auth.associate_user',
    'netbox.authentication.user_default_groups_handler',
    # Enable loading of extra scopes (e.g. roles)
    'social_core.pipeline.social_auth.load_extra_data',
    'social_core.pipeline.user.user_details',
     # Enable our custom pipeline
    'netbox.custom_pipeline.set_role'

    # Debug the pipeline - Only do this for a test-instance!!!
    # 'social_core.pipeline.debug.debug'
)

[netravnen]

@TimoHess Does this qualify as an answer to your question?

[marsteel]

@netravnen @TimoHess with Netbox v4.0.x , the
from django.contrib.auth.models import Group
group, created = Group.objects.get_or_create(name=role)

The Group is empty. Please refer to #9635 (reply in thread) for fixing the netbox-custom-pipeline.py in >Netbox v4.0.0

[netravnen]

@marsteel still stuck on the last 378 release. Have not had time to perform necessary testing for upgrading to 4

[netravnen]

Added inline comments with the changes necessary for the custom pipeline to work in Netbox >= 4.0.0 (Tested on 4.0.11)

[shahbhavik2583]

I get Authfailed error no role assigned. What am i going wrong? I have updated configuration.py and created custom.pipeline. Group names in azure ad and netbox are same. what am I missing. any help?

[ALL-SPACE-Anas]

I'm in the same boat, in my case the response JSON from azure doesn't include the "roles" key which netbox-custom-pipeline.py tries to get with line roles = response['roles']. I've explicitly added "app roles" on azure end but no luck so far. Please let me know if you find a fix.