Add SSO (Keycloak) information to NetBox docs
This commit is contained in:
parent
a87631690e
commit
99d13f5653
1 changed files with 49 additions and 0 deletions
|
@ -58,6 +58,7 @@ You can remove the `netbox_path_prefix` variable definition, to make it default
|
||||||
|
|
||||||
If `netbox_environment_variable_superuser_*` variables are specified, NetBox will try to create the user (if missing).
|
If `netbox_environment_variable_superuser_*` variables are specified, NetBox will try to create the user (if missing).
|
||||||
|
|
||||||
|
[Single-Sign-On](#single-sign-on-sso-integration) is also supported.
|
||||||
|
|
||||||
### Redis
|
### Redis
|
||||||
|
|
||||||
|
@ -198,6 +199,54 @@ netbox_container_additional_networks_custom:
|
||||||
########################################################################
|
########################################################################
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Single-Sign-On (SSO) integration
|
||||||
|
|
||||||
|
NetBox supports different [Remote Authentication](https://docs.netbox.dev/en/stable/configuration/remote-authentication/) backends, including those provided by the [Python Social Auth](https://python-social-auth.readthedocs.io/) library. This library is included in the NetBox container image by default, so you can invoke any [backend](https://github.com/python-social-auth/social-core/tree/master/social_core/backends) provided by it.
|
||||||
|
|
||||||
|
Each module's Python file contains detailed information about how to configure it. It should be noted that module-specific configuration is passed as Python configuration (via `netbox_configuration_extra_python`), and **not as environment variables**.
|
||||||
|
|
||||||
|
We have detailed information about integrating with [Keycloak](keycloak.md) below.
|
||||||
|
You can use the configuration in the [Keycloak section](#keycloak) as a template for configuring other backends.
|
||||||
|
|
||||||
|
#### Keycloak
|
||||||
|
|
||||||
|
To integrate with [Keycloak](keycloak.md) use the following **additional** configuration:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
|
||||||
|
netbox_environment_variables_additional_variables: |
|
||||||
|
REMOTE_AUTH_ENABLED=True
|
||||||
|
REMOTE_AUTH_BACKEND=social_core.backends.keycloak.KeycloakOAuth2
|
||||||
|
|
||||||
|
netbox_configuration_extra_python: |
|
||||||
|
# These need to match your Client app information in Keycloak. See below
|
||||||
|
SOCIAL_AUTH_KEYCLOAK_KEY = ''
|
||||||
|
SOCIAL_AUTH_KEYCLOAK_SECRET = ''
|
||||||
|
|
||||||
|
# The value for this is retrieved from Keycloak -> Realm Settings -> Keys tab -> Public key button for RS256
|
||||||
|
SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY = ''
|
||||||
|
|
||||||
|
# The value for these are retrieved from Keycloak -> Realm Settings -> General tab -> OpenID Endpoint Configuration button
|
||||||
|
SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL = 'https://KEYCLOAK_URL/realms/REALM_IDENTIFIER/protocol/openid-connect/auth'
|
||||||
|
SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL = 'https://KEYCLOAK_URL/realms/REALM_IDENTIFIER/protocol/openid-connect/token'
|
||||||
|
|
||||||
|
# If Keycloak is running on the same server, uncomment the lines below
|
||||||
|
# and replace HOSTNAME with the hostname of the Keycloak server (e.g. mash.example.com or keycloak.example.com).
|
||||||
|
# netbox_container_extra_arguments:
|
||||||
|
# - --add-host=HOSTNAME:{{ ansible_host }}
|
||||||
|
```
|
||||||
|
|
||||||
|
The Client app needs to be created and configured in a special way on the Keycloak side by:
|
||||||
|
|
||||||
|
- activating **Client authentication**
|
||||||
|
- in **Advanced**, changing the following settings:
|
||||||
|
- **Request object signature algorithm** = `RS256`
|
||||||
|
- **Request object signature algorithm** = `RS256`
|
||||||
|
- in **Client scopes** (for this Client app via the **Client scopes** tab, not for all apps via the left-most menu), configure the `*-dedicated` scope (e.g. `netbox-dedicated` if you named your Client app `netbox`) and add a new mapper with the following settings:
|
||||||
|
- **Name** = anything you like (e.g. `netbox-audience`)
|
||||||
|
- **Included Client Audience** = the key of this Client app (e.g. `netbox`)
|
||||||
|
- **Add to access token** = On
|
||||||
|
|
||||||
|
|
||||||
## Installation
|
## Installation
|
||||||
|
|
||||||
|
|
Loading…
Add table
Reference in a new issue