Failing to configure SAML Based Authentication

[GR360RY]

Please confirm the following

• [X] I agree to follow this project's code of conduct.
• [X] I have checked the current issues for duplicates.
• [X] I understand that AWX is open source software provided for free and that I might not receive a timely response.

Summary

When trying to configure SAML authentication in "SAML Settings" Web UI, SAML Service Provider Metadata URL returns the below error:

 curl https://example.com/sso/metadata/saml/
Missing backend "saml" entry%

Attempt to force SSO backend to use "awx.sso.backends.SAMLAuth" did not fix the issue.

bash-5.1$ cat /etc/tower/settings.py | grep AUTHENTICATION_BACKENDS
AUTHENTICATION_BACKENDS = ['awx.sso.backends.SAMLAuth', 'awx.main.backends.AWXModelBackend', 'awx.sso.backends.TACACSPlusBackend']

The resulting config page returns the same two backends:

...
"AUTHENTICATION_BACKENDS": [
        "awx.main.backends.AWXModelBackend",
        "awx.sso.backends.TACACSPlusBackend"
    ],

Installed with awx-operator: 0.21.0

AWX version

21.0.0

Select the relevant components

• [X] UI
• [X] API
• [ ] Docs

Installation method

kubernetes

Modifications

no

Ansible version

No response

Operating system

No response

Web browser

Chrome

Steps to reproduce

Clean installation with the following awx.yaml:

---
apiVersion: awx.ansible.com/v1beta1
kind: AWX
metadata:
  name: awx
spec:
  service_type: nodeport
  extra_settings:
    - setting: TOWER_URL_BASE
      value: '"https://example.com"'
    - setting: AUTHENTICATION_BACKENDS
      value:
        - awx.sso.backends.SAMLAuth
        - awx.main.backends.AWXModelBackend
        - awx.sso.backends.TACACSPlusBackend

Expected results

Get metadata to configure IDP

Actual results

Missing backend "saml" error message

Additional information

No response

[AlanCoding]

This looks suspiciously similar to https://github.com/ansible/awx-operator/issues/773

Could you give more details of errors you saw? Are there errors in the server logs like that? Other issues suggest that you may need to wrap your values like awx.sso.backends.SAMLAuth in quotes.

[GR360RY]

@AlanCoding , I figured it out:

awx.sso.backends.SAMLAuth get enabled automatically when all the below fields in SAML configuration are filled out. This includes:

1. SAML Service Provider Entity ID
2. SAML Service Provider Public Certificate
3. SAML Service Provider Private Key

Configuring required fields marked by * was not sufficient. Additional fields needed to be configured to activate the backend:

4. SAML Service Provider Organization Info
5. SAML Service Provider Technical Contact
6. SAML Service Provider Support Contact
7. SAML Enabled Identity Providers

As soon as all 7 above fields are configured, awx.sso.backends.SAMLAuth appears in the API and metadata link returns the correct xml data.

I would also consider defining all of the above fields as mandatory in docs and UI.

[Moumoutaru]

@GR360RY Do you mind sharing your config? I was able to get SAML working when updating the config through the GUI but when I try get it working via extra_settings I end up running into:

  File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/rest_framework/fields.py", line 336, in __init__
    assert not (read_only and required), NOT_READ_ONLY_REQUIRED
AssertionError: May not set both `read_only` and `required`

My extra settings looks like:

  extra_settings:
    - setting: AUTHENTICATION_BACKENDS
      value:
        - awx.sso.backends.SAMLAuth
        - awx.main.backends.AWXModelBackend
    - setting: TOWER_URL_BASE
      value: "'https://tower.thing.here'"
    - setting: SOCIAL_AUTH_SAML_SP_ENTITY_ID
      value: "'https://tower.thing.here/'"
    - setting: SOCIAL_AUTH_SAML_SP_PUBLIC_CERT
      value: '''pubcert -- this is newline separated and includes both begin and end statements'''
    - setting: SOCIAL_AUTH_SAML_SP_PRIVATE_KEY
      value: '''privatekey -- this is newline separated and includes both begin and end statements'''
    - setting: SOCIAL_AUTH_SAML_ORG_INFO
      value: '''{"en-US": {"url": "https://tower.thing.here/","displayname": "My Display Name","name": "NameHere"}}'''
    - setting: SOCIAL_AUTH_SAML_TECHNICAL_CONTACT
      value: '''{"givenName": "SomethingHere","emailAddress": "myemail@email.com"}'''
    - setting: SOCIAL_AUTH_SAML_SUPPORT_CONTACT
      value: '''{"givenName": "SomethingHere","emailAddress": "myemail@email.com"}'''
    - setting: SOCIAL_AUTH_SAML_ENABLED_IDPS
      value: '''{"myidp": {"entity_id": "https://myidp.idp.com/sso/SAML2","url": "https://myidp.idp.com/sso/SAML2?RedirectUrl=https://tower.thing.here/sso/complete/saml/","x509cert": "certinfohere","attr_first_name": "firstname","attr_last_name": "lastname","attr_email": "email","attr_user_permanent_id": "email","attr_username": "email"}}'''

[GR360RY]

@Moumoutaru , try dropping the AUTHENTICATION_BACKENDS. At the end decided to go with the manual config, hence I don't have the original configuration I've worked on.

[Moumoutaru]

Will do thanks for the quick response!

[GR360RY]

@Moumoutaru, Found config in git :). Not sure if it is working, but hopefully it will help:

extra_settings:
  - setting: TOWER_URL_BASE
    value: '"https://awx.example.com"'
  - setting: SOCIAL_AUTH_SAML_SP_PUBLIC_CERT
    value: '"-----BEGIN CERTIFICATE-----..."'
  - setting: SOCIAL_AUTH_SAML_SP_PRIVATE_KEY
    value: '"-----BEGIN PRIVATE KEY-----..."'
  - setting: SOCIAL_AUTH_SAML_ORG_INFO
    value: {
      "en-US": {
          "name": "awx",
          "url": "https://awx.example.com/",
          "displayname": "AWX"
        }
      }
  - setting: SOCIAL_AUTH_SAML_TECHNICAL_CONTACT
    value: {
      "givenName": "devops",
      "emailAddress": "devops@example.com"
    }
  - setting: SOCIAL_AUTH_SAML_ORGANIZATION_MAP
    value: {
      "Default": {
          "users": true
      }
    }
  - setting: SOCIAL_AUTH_SAML_SUPPORT_CONTACT
    value: {
      "givenName": "idp",
      "emailAddress": "idp@example.com"
    }
  - setting: SOCIAL_AUTH_SAML_ENABLED_IDPS
    value: {
      "idp-integ": {
          "url": "https://idp.example.com/api/saml2/v1/sso",
          "attr_username": "User.email",
          "attr_email": "User.email",
          "attr_first_name": "User.FirstName",
          "attr_user_permanent_id": "UID",
          "entity_id": "https://idp.example.com",
          "x509cert": "foobar....",
          "attr_last_name": "User.LastName"
      }
    }
  - setting: SOCIAL_AUTH_SAML_ORGANIZATION_ATTR
    value: {
      "saml_admin_attr": "awx_admins",
      "remove": false,
      "remove_admins": false
    }
  - setting: SOCIAL_AUTH_SAML_TEAM_ATTR 
    value: {
      "remove": false,
      "team_org_map": [
          {
              "organization": "Default",
              "team": "anpa-it"
          }
      ],
      "saml_attr": "groups"
    }
  - setting: SOCIAL_AUTH_SAML_USER_FLAGS_BY_ATTR
    value: {
      "is_superuser_value": "awx-admin",
      "is_superuser_attr": "is_super_admin"
    }

[Moumoutaru]

Unfortunately, that didn't work. It's quite puzzling. I'll go ahead and try your config.

[thg-adamdean]

Did you guys get anywhere with this, @Moumoutaru , @GR360RY ?

We're hitting similar issues with an attempted automated deployment.

[nickjmv]

I'm also having the issue. I tried a couple of combinations of the answers above without luck. Anyone that did got it working?

[sean-m-sullivan]

This is what I used to connect the controller to the RH-SSO SAML, it looks like several things are different from above, but thought I would share Specifically the values around SOCIAL_AUTH_SAML_ENABLED_IDPS From my notes

• The entity ID must much that set in the client ID previously set.
• RH-SSO is a visual marker and is not tied to the Domain Name System (DNS) or a configuration.
• The Technical Contacts information must be filled out, but this can be any valid name and email.
• The entity ID and Uniform Resource Locator (URL) from IdPs must be the realm created earlier. ansible-automation-platform is the realm created with the installer.
• The attr_* value should match the mapped values previously set.

A client profile needs to be created for the controller. This includes mapping values the RH-SSO server has imported from LDAP and mapping them to specific values for the Automation controller. Here’s how to do this: 1.Navigate to Clients | Create. 2.Fill in a client identifier (ID) with a unique name to identify the client, preferably something to do with the controller. 3.Select Client Protocol as SAML, then click Save, and then fill in as the following

Link to file with settings: https://github.com/PacktPublishing/Demystifying-Ansible-Automation-Platform/blob/main/ch04/sso/saml/settings.yml

It may be this part of the SAML Client is not done?, or other things missing?

[Moumoutaru]

@thg-adamdean @nickjmv I was able to get it working.

[nickjmv]

@Moumoutaru could you share your configuration please?

[nickjmv]

@Moumoutaru, I'm really looking forward to connecting with you for this. We are blocked in this because we can't seem to figure it out...