--- # Secret containing SAML Service Provider certificates apiVersion: v1 kind: Secret metadata: name: netbox-saml-sp-certs namespace: default type: Opaque stringData: # Service Provider public certificate in PEM format # Must include the PEM headers: -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- publicCert: | -----BEGIN CERTIFICATE----- MIIDXTCCAkWgAwIBAgIJAKZ0jxZhZ0zBMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX aWRnaXRzIFB0eSBMdGQwHhcNMjQwMTAxMDAwMDAwWhcNMjUwMTAxMDAwMDAwWjBF MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50 ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB CgKCAQEA1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTU VWXYZabcdefghijklmnopqrstuvwxyz1234567890ABCDEFGHIJKLMNOPQRSTUVWX YZabcdefghijklmnopqrstuvwxyz1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZAB CDEFGHIJKLMNOPQRSTUVWXYZ1234567890abcdefghijklmnopqrstuvwxyzABCD EFGHIJKLMNOPQRSTUVWXYZ1234567890abcdefghijklmnopqrstuvwxyz1234AB CDEFGHIJKLMNOPQRSTUVWXYZ567890abcdefghijklmnopqrstuvwxyzABCDEFGH IJKLMNOPQRSTUVWXYZ1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJK LMNOPQRSTUVWXYZ1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMN OPQRSTUVWXYZ1234567890abcdefghijklmnopqIDAQABo1AwTjAdBgNVHQ4EFgQU 1234567890abcdefghijklmnopqrMB8GA1UdIwQYMBaAFH1234567890abcdefghij klmnopqrMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAH1234567890 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmn opqrstuvwxyz1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ -----END CERTIFICATE----- # Service Provider private key in PEM format # Must include the PEM headers: -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY----- privateKey: | -----BEGIN PRIVATE KEY----- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDX1234567890ab cdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnop qrstuvwxyz1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890abcdefgh ijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890abcdefghijk lmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890abcdefghijklmn opqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890abcdefghijklmnopqr stuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890abcdefghijklmnopqrstuv wxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890abcdefghijklmnopqrstuvwxyzABC DEFGHIJKLMNOPQRSTUVWXYZAgMBAAECggEBAH1234567890abcdefghijklmnopqr stuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890abcdefghijklmnopqrstuv wxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890abcdefghijklmnopqrstuvwxyzABC DEFGHIJKLMNOPQRSTUVWXYZ1234567890abcdefghijklmnopqrstuvwxyzABCDEF GHIJKLMNOPQRSTUVWXYZ1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHI JKLMNOPQRSTUVWXYZ1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKL MNOPQRSTUVWXYZ1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNO PQRSTUVWXYZ1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQR STUVWXYZAoGBAPH1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMN OPQRSTUVWXYZ1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQ RSTUVWXYZ1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRST UVWXYZ1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVW XYZAoGBAPH1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRS TUVWXYZ1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUV WXYZ1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ 1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ -----END PRIVATE KEY----- # IdP X.509 certificate (base64 data only, WITHOUT PEM headers) # Extract from IdP metadata or download from IdP # Remove "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" lines idpPrimaryCert: >- MIIDXTCCAkWgAwIBAgIJAKZ0jxZhZ0zBMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX aWRnaXRzIFB0eSBMdGQwHhcNMjQwMTAxMDAwMDAwWhcNMjUwMTAxMDAwMDAwWjBF MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50 ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB CgKCAQEA1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTU VWXYZabcdefghijklmnopqrstuvwxyz --- # NetBoxEnterprise with SAML authentication apiVersion: netboxlabs.com/v1alpha1 kind: NetBoxEnterprise metadata: name: netbox-saml namespace: default spec: imagePullPolicy: IfNotPresent netbox: replicas: 1 image: pullPolicy: IfNotPresent config: auth: # Auto-create users on first login (default: true) autoCreateUser: true # SAML authentication configuration saml: # Service Provider entity ID (must match IdP configuration exactly) # This is typically your NetBox URL # Note: Trailing slash matters - must match IdP configuration spEntityId: "https://netbox.example.com" # Reference to secret containing SP public certificate spPublicCert: name: netbox-saml-sp-certs key: publicCert # Reference to secret containing SP private key spPrivateKey: name: netbox-saml-sp-certs key: privateKey # Force HTTPS for OAuth redirects (default: true) # Set to false only for localhost testing redirectIsHttps: true # Organization information (displayed in SAML metadata) organization: # Locale for organization info (default: "en-US") locale: "en-US" # Organization name name: "Example Corporation" # Organization display name displayName: "Example Corp" # Organization website URL url: "https://example.com" # Technical contact information (for SAML metadata) technicalContact: givenName: "Tech Support" emailAddress: "tech-support@example.com" # Support contact information (for SAML metadata) supportContact: givenName: "Support Team" emailAddress: "support@example.com" # Identity Provider configurations # You can configure multiple IdPs if needed identityProviders: # Primary IdP configuration - name: "primary" # IdP entity ID (from IdP metadata) entityId: "https://idp.example.com/saml/metadata" # IdP Single Sign-On URL (from IdP metadata) ssoUrl: "https://idp.example.com/saml/sso" # IdP X.509 certificate (base64 data only, WITHOUT PEM headers) # Reference to a secret containing the certificate x509Cert: name: netbox-saml-sp-certs key: idpPrimaryCert # Attribute mappings (how SAML attributes map to NetBox user fields) attributeMapping: # Attribute for permanent user ID (default: "email") userPermanentId: "email" # Attribute for first name (default: "first_name") firstName: "first_name" # Attribute for last name (default: "last_name") lastName: "last_name" # Attribute for username (default: "email") username: "email" # Attribute for email (default: "email") email: "email" worker: replicas: 1 # Diode configuration (optional) diode: enabled: false # PostgreSQL configuration (operator-managed) postgresql: external: false # Redis configuration (operator-managed) redis: external: false --- # SAML Configuration Notes: # # To configure SAML authentication, you need to: # # 1. Generate Service Provider (SP) certificates: # # Generate private key # openssl genrsa -out sp-key.pem 2048 # # # Generate certificate signing request # openssl req -new -key sp-key.pem -out sp-csr.pem \ # -subj "/CN=netbox.example.com/O=Example Corp/C=US" # # # Generate self-signed certificate (valid for 1 year) # openssl x509 -req -days 365 -in sp-csr.pem \ # -signkey sp-key.pem -out sp-cert.pem # # # Update the Secret with the generated certificate and key # # Note: Keep the PEM headers (-----BEGIN/END CERTIFICATE/PRIVATE KEY-----) # # 2. Configure Identity Provider (IdP): # - Entity ID: https://netbox.example.com (must match spEntityId) # - ACS URL: https://netbox.example.com/oauth/complete/saml/ # - Audience: https://netbox.example.com (same as Entity ID) # - Upload SP certificate (sp-cert.pem) # - Configure attribute statements: # - email → email # - first_name → firstName or givenName # - last_name → lastName or surname # # 3. Get IdP metadata: # - Download IdP metadata XML # - Extract: # - entityID (IdP entity ID) # - SingleSignOnService Location (SSO URL) # - X509Certificate (remove PEM headers, keep base64 data only) # - Add the IdP certificate to the Secret (e.g., as 'idpPrimaryCert' key) # # 4. Update this manifest: # - Set spEntityId to your NetBox URL # - Update SP certificates in the Secret # - Add IdP certificate(s) to the Secret (base64 data only, no PEM headers) # - Configure each IdP's x509Cert to reference the secret key # - Update organization and contact information # # 5. Test the configuration: # - Access NetBox # - Click "Log In with SAML" # - You should be redirected to your IdP # - After authentication, you'll be redirected back to NetBox # # Common IdP Examples: # - Okta: https://help.okta.com/ # - Azure AD: https://learn.microsoft.com/en-us/azure/active-directory/ # - Auth0: https://auth0.com/docs/authenticate/protocols/saml # - Google Workspace: https://support.google.com/a/answer/6087519 # # Troubleshooting: # - Verify SP certificate and key are valid # - Ensure spEntityId exactly matches IdP configuration (including trailing slash) # - Check that ACS URL is correctly configured in IdP # - Verify IdP certificate is correct (remove PEM headers) # - Check attribute mappings match IdP configuration # - Review NetBox logs: kubectl logs -n default deployment/netbox-saml-netbox