Netbox 4.0 and G-Suite (Google Web Apps) SAML Failure

[UntestedEngineer]

Deployment Type

Self-hosted

NetBox Version

v4.0.0

Python Version

3.11

Steps to Reproduce

1. Set REMOTE_AUTH_BACKEND to: social_core.backends.saml.SAMLAuth

2. Define appropriate SOCIAL_AUTH_SAML_SP_ENTITY_ID and SOCIAL_AUTH_SAML_ENABLED_IDPS dictionary elements (The values referenced are defined variables in the config file).

3. SOCIAL_AUTH_SAML_ENABLED_IDPS = {
   "google": {
   "entity_id": GOOGLE_ENTITY_ID,
   "url": GOOGLE_SSO_URL,
   "x509cert": GOOGLE_CERTIFICATE,
   "attr_user_permanent_id": "email",
   "attr_first_name": "first_name",
   "attr_last_name": "last_name",
   "attr_username": "email",
   "attr_email": "email",
   }
   SOCIAL_AUTH_SAML_SP_ENTITY_ID = https://abc.example.net

4. Ensure Google Web Apps section has proper configuration to match. The ACS URL I am using is: https://abc.example.net/complete/saml/

Expected Behavior

When clicking on the saml (google) button upon login I expect to be logged in with my G-Suite Username once the authentication passes. Coming from Netbox 3.7.7 and I realize all of the custom SAML plugins no longer work so I am trying to use the social_core.backends.saml.SAMLAuth backend from the social-auth-core[saml] python library.

Just for reference I used the custom SAML backend with the custom SAML netbox plugin in 3.7.7 and it works with no issues using Google Web Apps.

Observed Behavior

When I click on the saml (google) button I get prompted for my Google login but when authentication passes I get looped right back to the login page. I am not sure I have the right ACS URL in Google Web Apps, however I believed it to be correct based on the saml documentation for social_core.

It is also worth noting that I am unable to use the most recent version of "lxml" as it causes a version conflict with "xmlsec" and "libxml2". I need to manually downgrade lxml to 5.1.1 for version conflict resolution. I found this when I attempted to start the netbox application and it would dump with a version mis-match between lxml, xmlsec and libxml2.

[jeffgdotorg]

Thanks for reporting a problem you've encountered in NetBox.

The very nature of this report makes it challenging for a maintainer to reproduce, since it assumes both familiarity with SAML and access to a Google Web Apps organization with adequate permission to configure the required resources on that side. Furthermore, the final paragraph of your issue body leads me wonder if library version conflicts on your system might be contributing to the problem.

If you are aware of any code changes since NetBox 3.7.7 that you suspect could be causing this problem, we're open investigating them, but please bear in mind that issues are not a channel for end-user support.

[UntestedEngineer]

This can be closed. Someone was nice enough to update the original netbox saml2 plugin to support 4.0+. I tested it and it works as it did in 3.X.

https://github.com/jeremyschulman/netbox-plugin-auth-saml2