Multiple remote auth backends

[andrewmgee]

Is it possible to have multiple REMOTE_AUTH_BACKEND specified?

Ie. could we use:
netbox.authentication.LDAPBackend and social_core.backends.okta_openidconnect.OktaOpenIdConnect

From the docs page (https://docs.netbox.dev/en/stable/administration/authentication/okta/), when you enable a SSO the regular login form is still there, but I'm assuming by default that would use the local auth db.

I realize that the okta SSO users could be sourced from the same LDAP directory, but was curious if both can be left enabled. For migration period use cases for example.

[pparasuram]

Andrew,
Did you figure this out, I want this feature, use username and password OR use SSO link.

Prakash

[andrewmgee]

@pparasuram I didn't get a chance to dig into it and test anything yet. Will post back here if/when I do.

[andrewmgee]

@pparasuram tried it out, and it doesn't work to keep both.

Tried: `REMOTE_AUTH_BACKEND = ['netbox.authentication.LDAPBackend','social_core.backends.okta_openidconnect.OktaOpenIdConnect']

But doing that returns an error:

<class 'AttributeError'>

'list' object has no attribute 'rsplit'

Python version: 3.9.15
NetBox version: 3.3.7

So it looks like it doesn't accept a list and only a single value. The regular username/password box does still show, but uses the local auth db.

[jerrykan]

Sorry to revive this one, but just in case someone else finds this discussion trying to figure out if multiple auth backends are supported (like I did), the answer is "yes". Support was added in the v3.4.8 release.

To quote the documentation for the REMOTE_AUTH_BACKEND option:

Provide a string for a single backend, or an iterable for multiple backends, which will be attempted in the order given.