Yes, I did get some ansible tasks working for our environment on Linux. A bit clunky, but we haven't spent too much more time on it and are now moving away from AWX. I have pasted some code snippets below.
We get a session cookie and csrftoken for the AWX host and store it in the hostvars for that AWX host.
- name: Get initial awx sessionid and SAMLRequest
block:
- name: start awx session
delegate_to: localhost
become: false
command:
cmd: "curl -s 'https://{{ awx_host }}/sso/login/saml/?idp={{ saml_idp }}' -c - -w %{redirect_url}"
check_mode: false
changed_when: false
no_log: "{{ ansible_verbosity < 4 }}"
register: awx_session
tags:
- skip_ansible_lint # get_uri module does not support SPNEGO/kerberos authentication
- name: Set awx sessionid
set_fact:
awx_sessionid_cookie: "sessionid={{ awx_session.stdout | regex_search('.*\\s+sessionid\\s+(.*)', '\\1') | first }}"
no_log: "{{ ansible_verbosity < 4 }}"
- name: Get XHTML SAMLResponse
delegate_to: localhost
become: false
command:
cmd: "curl -s --negotiate -u : '{{ (awx_session.stdout_lines | select('match', '^https') | list | first).split('#')[0] }}' -H 'Cookie: {{ awx_sessionid_cookie }}'"
check_mode: false
changed_when: false
no_log: "{{ ansible_verbosity < 4 }}"
register: awx_session_saml_response
tags:
- skip_ansible_lint # get_uri module does not support SPNEGO/kerberos authentication
- name: Assert that we received a SAMLResponse
assert:
that: "'SAMLResponse' in awx_session_saml_response.stdout"
fail_msg: "Did not receive a SAMLResponse from keycloak server"
success_msg: "Keycloak authentication successful"
- name: Extract SAMLResponse
set_fact:
awx_session_saml_response: "{{ awx_session_saml_response.stdout_lines | select('search', 'name=\"SAMLResponse\"') | first | regex_search('value=\"([^\"]*)', '\\1') }}"
no_log: "{{ ansible_verbosity < 4 }}"
- name: Complete SAML authentication
delegate_to: localhost
become: false
command:
cmd: "curl -s -H 'Cookie: {{ awx_sessionid_cookie }}' -c - --data-urlencode 'SAMLResponse={{ awx_session_saml_response }}' --data 'RelayState={{ saml_idp }}' 'https://{{ awx_host }}/sso/complete/saml/'"
check_mode: false
changed_when: false
no_log: "{{ ansible_verbosity < 4 }}"
register: awx_session
tags:
- skip_ansible_lint # get_uri module does not support SPNEGO/kerberos authentication
- name: Update awx_session
set_fact:
awx_session:
cookie: "sessionid={{ awx_session.stdout | regex_search('.*\\s+sessionid\\s+(.*)', '\\1') | first }}"
csrftoken: "{{ awx_session.stdout | regex_search('.*\\s+csrftoken\\s+(.*)', '\\1') | first }}"
awx_session_saml_response: ""
awx_sessionid_cookie: ""
delegate_to: "{{ awx_host }}"
delegate_facts: true
no_log: "{{ ansible_verbosity < 4 }}"
rescue:
- name: Notify of failure to get awx session
debug:
msg: "Failed to get an awx session for {{ awx_host }}"