Ansible AWX using both LDAP and Okta SAML

[Daniel@Vistra]

We use LDAP (Acitive Directory) for user password validation.  We use Okta as SSO SAML.

I am trying to setup both.  I have had LDAP (A/D) working since I setup AWX.  I finally was able to get the security folks to put in the Okta SSO SAML piece on Friday.  I have worked most of the day on Friday, a few hours on the weekend and this morning.  The best I have gotten is the round circle with an S, I can click it, but my ID coming from Okta is an email address for my username, which is no my default email address, it is not pulling my first and last name or email.  Also I notice when I validate from the login screen the user that comes across from LDAP has a label that states LDAP, in fact twice, the user that validated from Okta, shows a label of Social.  Is it possible to have a user come over from Okta and be the same user that comes across from LDAP (A/D)?  Thank you.

[John Foley]

I have not used Okta (we use Idaptive), but within Okta, there should be a way to control the format and values of what is sends over as the username. Pretty sure your issue is on the Okta side.

On Tue, Oct 6, 2020 at 11:00 AM Daniel@Vistra <daniel...@vistracorp.com> wrote:

We use LDAP (Acitive Directory) for user password validation.  We use Okta as SSO SAML.

I am trying to setup both.  I have had LDAP (A/D) working since I setup AWX.  I finally was able to get the security folks to put in the Okta SSO SAML piece on Friday.  I have worked most of the day on Friday, a few hours on the weekend and this morning.  The best I have gotten is the round circle with an S, I can click it, but my ID coming from Okta is an email address for my username, which is no my default email address, it is not pulling my first and last name or email.  Also I notice when I validate from the login screen the user that comes across from LDAP has a label that states LDAP, in fact twice, the user that validated from Okta, shows a label of Social.  Is it possible to have a user come over from Okta and be the same user that comes across from LDAP (A/D)?  Thank you.

--
You received this message because you are subscribed to the Google Groups "AWX Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to awx-project...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/d3342518-ff39-45b3-9ac3-5bbcbdc3c550n%40googlegroups.com.

--

John M. Foley

[Daniel@Vistra]

Do you know if the same user can log in as Okta and LDAP?  I created a user with firstname, lastname and email, then tried again with SSO by clicking on the button, it created a new user with a series of numbers after the username so it would not be duplicate.  

The other thing I failed to mention, if I am going from Okta and click on the chicklet for Ansible, it fails.  It works if I am on the Ansible login page by clicking on the SSO icon but not from Okta.

Security set it up as the documentation referenced.

Thank you again.

[John Foley]

yes, if the username in ad matches what SAML is sending, the account in Tower will have both labels (LDAP/Social). You might need to check you login URL for the SP on the Okta side if it is not working from the Okta portal.

To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/43882b76-9a2e-4a88-9b43-5b5797bcb161n%40googlegroups.com.

--

John M. Foley

[Daniel@Vistra]

It gets to the server and then reverts to the link that is configured as the redirect.  So I know it is going from Okta to Ansible.

I think it has something to do with the Nginx web server that I have re-directing to the backend Docker container web server.

Which makes me think if I were to have Okta be directed to the backend server via HTTP and the port 9000 that I am redirecting the HTTPS of the front-end Nginx server to?

Thank you again.