Entra SSO not working

[rcon-git]

Followed the guide here to a T: https://netboxlabs.com/docs/netbox/administration/authentication/microsoft-entra-id/

Here is my configuration.py

# Remote authentication support
REMOTE_AUTH_ENABLED = True
REMOTE_AUTH_BACKEND = 'social_core.backends.azuread_tenant.AzureADTenantOAuth2'
REMOTE_AUTH_AUTO_CREATE_USER = True
REMOTE_AUTH_DEFAULT_GROUPS = []
REMOTE_AUTH_DEFAULT_PERMISSIONS = {}
SOCIAL_AUTH_AZUREAD_OAUTH2_KEY = '1234-abcd-1234'
SOCIAL_AUTH_AZUREAD_OAUTH2_SECRET = 'abc1234567'
SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_TENANT_ID = 'fabdc-1234-ggaaffbb'
REMOTE_AUTH_HEADER = 'HTTP_REMOTE_USER'
REMOTE_AUTH_USER_FIRST_NAME = 'HTTP_REMOTE_USER_FIRST_NAME'
REMOTE_AUTH_USER_LAST_NAME = 'HTTP_REMOTE_USER_LAST_NAME'
REMOTE_AUTH_USER_EMAIL = 'HTTP_REMOTE_USER_EMAIL'

After restarting the netbox service, the "Microsoft Entra" button appears. When I click on it, I am correctly redirected to the Entra sign in for my username and password. However, after authenticating I get the following:

AADSTS700016: Application with identifier 'None' was not found in the directory 'company'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.

There are mentions of this exact error in previous threads, but nothing that demonstrates a fix.
netbox-community/netbox-docker#1360
#18813
In fact, all the users that have had this error that I can find are all running things via docker/Kubernetes. I am running netbox on bare metal.

This article: https://learn.microsoft.com/en-us/troubleshoot/entra/entra-id/app-integration/error-code-aadsts70001-app-not-found-in-directory
says the issue is that the 'issuer' attribute sent from the application to Entra doesn't match the identifier value. I have no idea what that means. I followed the NetBox documentation exactly.

[rcon-git]

for anyone else that comes across this .. there were 2 issues.

1, you need to also make sure to include the tenant ID
2. You can't use a self-signed SSL cert. You need a real SSL cert issued by a cert authority.

your configuration.py should look like this

# Remote authentication support
REMOTE_AUTH_ENABLED = False
#REMOTE_AUTH_BACKEND = 'netbox.authentication.RemoteUserBackend'
REMOTE_AUTH_BACKEND = 'social_core.backends.azuread.AzureADOAuth2'
SOCIAL_AUTH_AZUREAD_OAUTH2_KEY = '00119922883377446555'
SOCIAL_AUTH_AZUREAD_OAUTH2_SECRET = 'aabbccddeeffgg'
SOCIAL_AUTH_AZUREAD_OAUTH2_TENANT_ID = '00119922883377446555'
REMOTE_AUTH_HEADER = 'HTTP_REMOTE_USER'
REMOTE_AUTH_USER_FIRST_NAME = 'HTTP_REMOTE_USER_FIRST_NAME'
REMOTE_AUTH_USER_LAST_NAME = 'HTTP_REMOTE_USER_LAST_NAME'
REMOTE_AUTH_USER_EMAIL = 'HTTP_REMOTE_USER_EMAIL'
REMOTE_AUTH_AUTO_CREATE_USER = True
REMOTE_AUTH_DEFAULT_GROUPS = []
REMOTE_AUTH_DEFAULT_PERMISSIONS = {}