fosterseth
commented
10 months ago does this only happen on the new UI, or also the old?
you might want to create a Get Help post on our new AWX forum, forum.ansible.com
Open sathyarchana opened 10 months ago
fosterseth
commented
10 months ago does this only happen on the new UI, or also the old?
you might want to create a Get Help post on our new AWX forum, forum.ansible.com
sathyarchana
commented
10 months ago It's happening in both old and new UI.
jon-nfc
commented
8 months ago @sathyarchana, I've got saml working. what are your saml settings. and what IDP are you using?
clementbernet
commented
8 months ago I'm also facing the same issue, it redirects me to login but based on the logs I have on Grafana, it's a Signature validation failed. SAML Response rejected error. I'm using ADFS as IDP. @jon-nfc have you ever faced my error? It's apparently a mismatch with the X509 certificate used for signing.
jon-nfc
commented
8 months ago @clementbernet the certificate that is within awx must match the certificate within the idp specifically SOCIAL_AUTH_SAML_SP_PUBLIC_CERT with that cert being the public cert of key SOCIAL_AUTH_SAML_SP_PRIVATE_KEY which is only used within AWX to do the signing.
without this SAML wont work as the verification will fail.
here's the config I use that may be of some assistance. my idp is keycloak (it's an ansible template passed to the API, however can be converted to be passed via the operator)
{
"SAML_AUTO_CREATE_OBJECTS": true,
"SOCIAL_AUTH_SAML_SP_ENTITY_ID": "{{ deployment_awx.settings.url }}",
"SOCIAL_AUTH_SAML_SP_PUBLIC_CERT": "{{ nfc_pb_idp_client_public_certificate | replace('\n', '') }}",
"SOCIAL_AUTH_SAML_SP_PRIVATE_KEY": "{{ nfc_pb_idp_client_private_key | replace('\n', '') }}",
"SOCIAL_AUTH_SAML_ORG_INFO": {
"en-US": {
"displayname": "AWX",
"name": "keycloak",
"url": "{{ deployment_awx.settings.url }}"
}
},
"SOCIAL_AUTH_SAML_TECHNICAL_CONTACT": {
"emailAddress": "technical@example.com",
"givenName": "Tech"
},
"SOCIAL_AUTH_SAML_SUPPORT_CONTACT": {
"emailAddress": "support@example.com",
"givenName": "Support"
},
"SOCIAL_AUTH_SAML_ENABLED_IDPS": {
"keycloak": {
"attr_email": "urn:oid:1.2.840.113549.1.9.1",
"attr_first_name": "urn:oid:2.5.4.42",
"attr_last_name": "urn:oid:2.5.4.4",
"attr_user_permanent_id": "name_id",
"attr_username": "username",
"entity_id": "{{ deployment_awx.settings.authentication.saml.IDP_URL }}",
"url": "{{ deployment_awx.settings.authentication.saml.IDP_URL }}/protocol/saml",
"x509cert": "{{ nfc_pb_keycloak_saml_certificate }}"
}
},
"SOCIAL_AUTH_SAML_SECURITY_CONFIG": {
"requestedAuthnContext": true
},
"SOCIAL_AUTH_SAML_SP_EXTRA": null,
"SOCIAL_AUTH_SAML_EXTRA_DATA": null,
"SOCIAL_AUTH_SAML_ORGANIZATION_MAP": {
"No Fuss Computing": {
"admins": [
"admin@example.com"
],
"users": true
}
},
"SOCIAL_AUTH_SAML_TEAM_MAP": null,
"SOCIAL_AUTH_SAML_ORGANIZATION_ATTR": {},
"SOCIAL_AUTH_SAML_TEAM_ATTR": {
"remove": true,
"saml_attr": "roles",
"team_org_map": [
{% for organization in my_awx_config.organizations | default([]) %}
{% for team in organization.teams | default([]) %}
{
"team": "{{ team.name }}",
"organization": "{{ organization.name }}"
},
{% endfor %}
{% endfor %}
]
},
"SOCIAL_AUTH_SAML_USER_FLAGS_BY_ATTR": {}
}
knumskull
commented
1 month ago @clementbernet not sure if you still encounter this issue, but SAML authentication is using the python3-saml integration and depending on the underlying infrastructure, it's using system-library xmlsec1.
Please make sure your signing algorithm is supported by xmlsec1.
Probably you use SAML-tracer plugin in Firefox for example to check the SAML response value and check if you use proper signing method like sha256 or higher.
It might be possible you're using SHA1, which is not supported by newest operating systems for example.
Please confirm the following
security@ansible.cominstead.)Bug Summary
I've integrated the SML Authentication with AWX. It redirects to my IDP (I get 200 OK). Authenticate it there. And then redirects back to the http://localhost:8052/sso/complete/saml/ (here I get 302 Found) But after this, it redirects to the http://localhost:8052/sso/error/ (And here I get 301 Moved Permanently) and then to http://localhost:8052/#/login . I'm unable to login into the AWX by SAML. Please resolve the issue.
AWX version
AWX v23.5.0
Select the relevant components
Installation method
kubernetes
Modifications
no
Ansible version
No response
Operating system
No response
Web browser
Firefox, Chrome, Edge
Steps to reproduce
Install AWX with following helm yaml file:
AWX: enabled: true name: awx-demo spec: no_log: false service_type: ClusterIP service_annotations: | prometheus.io/scrape: "true" service_labels: | release: kube-prometheus-stack extra_settings:
projects_persistence: true
projects_storage_class: gp2
projects_storage_size: 10Gi
projects_storage_access_mode: ReadWriteOnce
web_replicas: 2 task_replicas: 2 task_resource_requirements: requests: cpu: 100m memory: 128Mi ephemeral-storage: 100M limits: cpu: 2000m memory: 4Gi ephemeral-storage: 500M web_resource_requirements: requests: cpu: 100m memory: 128Mi limits: cpu: 1000m memory: 4Gi ee_resource_requirements: requests: cpu: 100m memory: 64Mi limits: cpu: 1000m memory: 4Gi redis_resource_requirements: requests: cpu: 50m memory: 64Mi limits: cpu: 1000m memory: 4Gi rsyslog_resource_requirements: requests: cpu: 100m memory: 128Mi limits: cpu: 1000m memory: 2Gi init_container_resource_requirements: requests: cpu: 100m memory: 128Mi limits: cpu: 1000m memory: 2Gi postgres_configuration_secret: awx-demo-postgres-configuration postgres_storage_requirements: requests: storage: 10Gi limits: storage: 20Gi postgres_storage_class: gp2 postgres_init_container_resource_requirements: requests: cpu: 10m memory: 64Mi limits: cpu: 1000m memory: 2Gi status: postgresConfigurationSecret: awx-demo-postgres-configuration
Expected results
It should login into the AWX after getting response from the IDP
Actual results
It redirects to http://localhost
/#/login
Additional information
No response