starred/netbox
1
0
Fork 0
mirror of https://github.com/netbox-community/netbox.git synced 2026-01-11 21:10:29 +01:00
Code Issues 273 Packages Projects Releases 10 Wiki Activity

SAML Authentication #1373

New Issue
Closed
opened 2025-12-29 16:31:51 +01:00 by adam · 13 comments
adam commented 2025-12-29 16:31:51 +01:00
Owner
Copy Link

Originally created by @lampwins on GitHub (Nov 1, 2017).

Issue type

[ x ] Feature request
[ ] Bug report
[ ] Documentation

Description

My employer is currently going through a large push to use SAML for application authentication. As such, I would like to implement SAML for netbox. I have several django projects similar to (and sometimes based on the core of) netbox which I am currently working on SAML integration, so it would be rather trivial to contribute it back.

This was first brought up in #118 but I also agree with the decision to close that issue for being too broad and under defined. This request covers only the addition of SAML support for authentication and no other use case.

Let me be clear in saying this is something I am 100% willing to do the work on myself.

I see it looking very similar to the LDAP support, in that it is a bolt on that a user must enable themselves. This would most likely be using djangosaml2

Originally created by @lampwins on GitHub (Nov 1, 2017). <!-- Before opening a new issue, please search through the existing issues to see if your topic has already been addressed. Note that you may need to remove the "is:open" filter from the search bar to include closed issues. Check the appropriate type for your issue below by placing an x between the brackets. If none of the below apply, please raise your issue for discussion on our mailing list: https://groups.google.com/forum/#!forum/netbox-discuss Please note that issues which do not fall under any of the below categories will be closed. ---> ### Issue type [ x ] Feature request <!-- Requesting the implementation of a new feature --> [ ] Bug report <!-- Reporting unexpected or erroneous behavior --> [ ] Documentation <!-- Proposing a modification to the documentation --> ### Description My employer is currently going through a large push to use SAML for application authentication. As such, I would like to implement SAML for netbox. I have several django projects similar to (and sometimes based on the core of) netbox which I am currently working on SAML integration, so it would be rather trivial to contribute it back. This was first brought up in #118 but I also agree with the decision to close that issue for being too broad and under defined. This request covers _only_ the addition of SAML support for authentication and no other use case. Let me be clear in saying this is something I am 100% willing to do the work on myself. I see it looking very similar to the LDAP support, in that it is a bolt on that a user must enable themselves. This would most likely be using [djangosaml2](https://github.com/knaperek/djangosaml2)
adam closed this issue 2025-12-29 16:31:51 +01:00
adam commented 2025-12-29 16:31:52 +01:00
Author
Owner
Copy Link

@Eric2XU commented on GitHub (Nov 1, 2017):

I too need this feature to use with Azure SAML. I also am willing to pitch in (although most of this is above my head). I am willing to help be a tester and perhaps contribute where I can. Please keep me in the loop.

SAML is preferred but like I said a little over my head. My other thought was to get Kerberos SSO working on Apache then figure out a way to get Netbox to use the authenticated user object created by Apache although that is where I would have a hard time figuring out where in the code base to change (while I know other languages py isn't one I know so I would be winging it). https://active-directory-wp.com/docs/Networking/Single_Sign_On/Kerberos_SSO_with_Apache_on_Linux.html Since I use Azure, I can route traffic through the Azure proxy which will automatically pass the kerberos creds to Apache

@Eric2XU commented on GitHub (Nov 1, 2017): I too need this feature to use with Azure SAML. I also am willing to pitch in (although most of this is above my head). I am willing to help be a tester and perhaps contribute where I can. Please keep me in the loop. SAML is preferred but like I said a little over my head. My other thought was to get Kerberos SSO working on Apache then figure out a way to get Netbox to use the authenticated user object created by Apache although that is where I would have a hard time figuring out where in the code base to change (while I know other languages py isn't one I know so I would be winging it). https://active-directory-wp.com/docs/Networking/Single_Sign_On/Kerberos_SSO_with_Apache_on_Linux.html Since I use Azure, I can route traffic through the Azure proxy which will automatically pass the kerberos creds to Apache
adam commented 2025-12-29 16:31:52 +01:00
Author
Owner
Copy Link

@explody commented on GitHub (Nov 4, 2017):

Check this out. https://github.com/explody/netbox/blob/basic_saml_support/README_SAML.md

It may need some additional tweaking before submitting a PR but it's working for us currently.

@explody commented on GitHub (Nov 4, 2017): Check this out. https://github.com/explody/netbox/blob/basic_saml_support/README_SAML.md It may need some additional tweaking before submitting a PR but it's working for us currently.
adam commented 2025-12-29 16:31:52 +01:00
Author
Owner
Copy Link

@lampwins commented on GitHub (Dec 14, 2017):

@explody are you okay with me working on that a bit?

@lampwins commented on GitHub (Dec 14, 2017): @explody are you okay with me working on that a bit?
adam commented 2025-12-29 16:31:53 +01:00
Author
Owner
Copy Link

@explody commented on GitHub (Dec 14, 2017):

Certainly. It's entirely functional for us, but we also sort of threw the structure of it together - naming and location of vars and configs, etc. I was thinking it could use some tidying up before a PR, just haven't gotten back to it yet.

Commits are here in case it wasn't immediately obvious: https://github.com/explody/netbox/commits/basic_saml_support

@explody commented on GitHub (Dec 14, 2017): Certainly. It's entirely functional for us, but we also sort of threw the structure of it together - naming and location of vars and configs, etc. I was thinking it could use some tidying up before a PR, just haven't gotten back to it yet. Commits are here in case it wasn't immediately obvious: https://github.com/explody/netbox/commits/basic_saml_support
adam commented 2025-12-29 16:31:53 +01:00
Author
Owner
Copy Link

@rhysjtevans commented on GitHub (Jan 10, 2018):

Hi @explody, great work! Quick question how do you differentiate users to different groups?

I'd be interested in mapping an Active Directory group membership to a netbox group via SAML

@rhysjtevans commented on GitHub (Jan 10, 2018): Hi @explody, great work! Quick question how do you differentiate users to different groups? I'd be interested in mapping an Active Directory group membership to a netbox group via SAML
adam commented 2025-12-29 16:31:53 +01:00
Author
Owner
Copy Link

@girlpunk commented on GitHub (Feb 6, 2018):

@explody Just tried that on my install, I think the documentation needs a little tweaking, but overall it works well. I'd agree with @rhysjtevans as well, would be nice if AD groups could set edit permissions.

@girlpunk commented on GitHub (Feb 6, 2018): @explody Just tried that on my install, I think the documentation needs a little tweaking, but overall it works well. I'd agree with @rhysjtevans as well, would be nice if AD groups could set edit permissions.
adam commented 2025-12-29 16:31:53 +01:00
Author
Owner
Copy Link

@explody commented on GitHub (Feb 28, 2018):

We need group support as well, and are intending to get to it as soon as possible (can't say when though).

re:Docs, let me know what needs tweaking, I'm happy to include improvements.

@explody commented on GitHub (Feb 28, 2018): We need group support as well, and are intending to get to it as soon as possible (can't say when though). re:Docs, let me know what needs tweaking, I'm happy to include improvements.
adam commented 2025-12-29 16:31:53 +01:00
Author
Owner
Copy Link

@pcabido commented on GitHub (Mar 6, 2018):

@explody great work on this. I've done something similar with django_saml2_auth and Okta, wasn't too hard but I like what you did here, it's a lot more complete then my hack. I encourage you to make the PR and commit upstream. SAML support is only more common now a days and I believe a lot of users would benefit from your work.

I'd also suggest using or documenting how to use the metadata auto config url, Okta for example supports that and it makes things easier.

@pcabido commented on GitHub (Mar 6, 2018): @explody great work on this. I've done something similar with django_saml2_auth and Okta, wasn't too hard but I like what you did here, it's a lot more complete then my hack. I encourage you to make the PR and commit upstream. SAML support is only more common now a days and I believe a lot of users would benefit from your work. I'd also suggest using or documenting how to use the metadata auto config url, Okta for example supports that and it makes things easier.
adam commented 2025-12-29 16:31:53 +01:00
Author
Owner
Copy Link

@01000101 commented on GitHub (Mar 13, 2018):

+1 for adding group support. Our organization just set this up with SAML but can't find a way to pass in group information.

@01000101 commented on GitHub (Mar 13, 2018): +1 for adding group support. Our organization just set this up with SAML but can't find a way to pass in group information.
adam commented 2025-12-29 16:31:53 +01:00
Author
Owner
Copy Link

@LukeDRussell commented on GitHub (May 22, 2018):

@jeremystretch You've labelled this as accepted. Does that mean @lampwins has the OK to submit a PR (assuming he is still keen)?

@LukeDRussell commented on GitHub (May 22, 2018): @jeremystretch You've labelled this as accepted. Does that mean @lampwins has the OK to submit a PR (assuming he is still keen)?
adam commented 2025-12-29 16:31:54 +01:00
Author
Owner
Copy Link

@DouglasHeriot commented on GitHub (Feb 21, 2019):

This is a feature we need to, to use with Okta. We’re about to start working on this as it’s been marked as accepting pull requests – does that sound good, or should we go for the #2328 option instead and put our work there?

@DouglasHeriot commented on GitHub (Feb 21, 2019): This is a feature we need to, to use with Okta. We’re about to start working on this as it’s been marked as accepting pull requests – does that sound good, or should we go for the #2328 option instead and put our work there?
adam commented 2025-12-29 16:31:54 +01:00
Author
Owner
Copy Link

@anthonyeden commented on GitHub (Mar 15, 2019):

Hi all,

Just letting you know I've begun work on SAML2 Authentication for NetBox. You can see my draft pull request here: https://github.com/digitalocean/netbox/pull/3010

There's still more work to be done, but I'd appreciate any feedback on my approach thus far.

@anthonyeden commented on GitHub (Mar 15, 2019): Hi all, Just letting you know I've begun work on SAML2 Authentication for NetBox. You can see my draft pull request here: https://github.com/digitalocean/netbox/pull/3010 There's still more work to be done, but I'd appreciate any feedback on my approach thus far.
adam commented 2025-12-29 16:31:54 +01:00
Author
Owner
Copy Link

@jeremystretch commented on GitHub (Oct 15, 2019):

Given the prevalence of issues following the introduction of LDAP authentication support and the overall burden of maintaining multiple remote authentication mechanisms, the maintainers have decided to pursue instead support for generic remote authentication handled by the HTTP frontend (see #2328). This will greatly simplify the logic needed by NetBox, as well as offer the most flexibility to the end user around what mechanisms are supported and how they can be configured.

@jeremystretch commented on GitHub (Oct 15, 2019): Given the prevalence of issues following the introduction of LDAP authentication support and the overall burden of maintaining multiple remote authentication mechanisms, the maintainers have decided to pursue instead support for generic remote authentication handled by the HTTP frontend (see #2328). This will greatly simplify the logic needed by NetBox, as well as offer the most flexibility to the end user around what mechanisms are supported and how they can be configured.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
beta
breaking change
complexity: high
complexity: low
complexity: medium
needs milestone
netbox
pending closure
plugin candidate
pull-request
Mirrored from GitHub Pull Request
 severity: high
severity: low
severity: medium
status: accepted
status: backlog
status: blocked
status: duplicate
status: needs owner
status: needs triage
status: revisions needed
status: under review
topic: GraphQL
topic: Internationalization
topic: OpenAPI
topic: UI/UX
topic: cabling
topic: event rules
topic: htmx navigation
topic: industrialization
topic: migrations
topic: plugins
topic: scripts
topic: templating
topic: testing
type: bug
type: deprecation
type: documentation
type: feature
type: housekeeping
type: translation
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/netbox#1373
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?