From 99d13f5653c27dc16bf57b4dfe6766a4dc6742da Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 3 Apr 2023 17:11:06 +0300 Subject: [PATCH] Add SSO (Keycloak) information to NetBox docs --- docs/services/netbox.md | 49 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) diff --git a/docs/services/netbox.md b/docs/services/netbox.md index d023d81..7fa40e1 100644 --- a/docs/services/netbox.md +++ b/docs/services/netbox.md @@ -58,6 +58,7 @@ You can remove the `netbox_path_prefix` variable definition, to make it default If `netbox_environment_variable_superuser_*` variables are specified, NetBox will try to create the user (if missing). +[Single-Sign-On](#single-sign-on-sso-integration) is also supported. ### Redis @@ -198,6 +199,54 @@ netbox_container_additional_networks_custom: ######################################################################## ``` +### Single-Sign-On (SSO) integration + +NetBox supports different [Remote Authentication](https://docs.netbox.dev/en/stable/configuration/remote-authentication/) backends, including those provided by the [Python Social Auth](https://python-social-auth.readthedocs.io/) library. This library is included in the NetBox container image by default, so you can invoke any [backend](https://github.com/python-social-auth/social-core/tree/master/social_core/backends) provided by it. + +Each module's Python file contains detailed information about how to configure it. It should be noted that module-specific configuration is passed as Python configuration (via `netbox_configuration_extra_python`), and **not as environment variables**. + +We have detailed information about integrating with [Keycloak](keycloak.md) below. +You can use the configuration in the [Keycloak section](#keycloak) as a template for configuring other backends. + +#### Keycloak + +To integrate with [Keycloak](keycloak.md) use the following **additional** configuration: + +```yaml + +netbox_environment_variables_additional_variables: | + REMOTE_AUTH_ENABLED=True + REMOTE_AUTH_BACKEND=social_core.backends.keycloak.KeycloakOAuth2 + +netbox_configuration_extra_python: | + # These need to match your Client app information in Keycloak. See below + SOCIAL_AUTH_KEYCLOAK_KEY = '' + SOCIAL_AUTH_KEYCLOAK_SECRET = '' + + # The value for this is retrieved from Keycloak -> Realm Settings -> Keys tab -> Public key button for RS256 + SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY = '' + + # The value for these are retrieved from Keycloak -> Realm Settings -> General tab -> OpenID Endpoint Configuration button + SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL = 'https://KEYCLOAK_URL/realms/REALM_IDENTIFIER/protocol/openid-connect/auth' + SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL = 'https://KEYCLOAK_URL/realms/REALM_IDENTIFIER/protocol/openid-connect/token' + +# If Keycloak is running on the same server, uncomment the lines below +# and replace HOSTNAME with the hostname of the Keycloak server (e.g. mash.example.com or keycloak.example.com). +# netbox_container_extra_arguments: +# - --add-host=HOSTNAME:{{ ansible_host }} +``` + +The Client app needs to be created and configured in a special way on the Keycloak side by: + +- activating **Client authentication** +- in **Advanced**, changing the following settings: + - **Request object signature algorithm** = `RS256` + - **Request object signature algorithm** = `RS256` +- in **Client scopes** (for this Client app via the **Client scopes** tab, not for all apps via the left-most menu), configure the `*-dedicated` scope (e.g. `netbox-dedicated` if you named your Client app `netbox`) and add a new mapper with the following settings: + - **Name** = anything you like (e.g. `netbox-audience`) + - **Included Client Audience** = the key of this Client app (e.g. `netbox`) + - **Add to access token** = On + ## Installation