SAML Auth from behind Apache Reverse Proxy

[Drew Stinnett]

Hi Gang,

     I'm trying to use SAML authentication on an AWX container that has an apache frontend, however AWX appears to be sending the wrong ACS.

     The apache service is just running TLS, and doing a proxypass to http://127.0.0.1:80. The web interface at https://awx.example.com works fine, and I have set the base url setting to https://awx.example.com.  Under the SAML settings, the ACS shows correctly as "https://awx.example.com/sso/complete/saml", however when I actually try to log in with SAML, AWX is sending "http://127.0.0.1:80/sso/complete/saml/".

     Is there something I'm missing here, to have AWX send the expected ACS?  Thanks!!

Drew

[Matthew Jones]

does this look like what you running into? https://github.com/ansible/awx/issues/119

--
You received this message because you are subscribed to the Google Groups "AWX Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to awx-project+unsubscribe@googlegroups.com.
To post to this group, send email to awx-p...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/f7b5e334-de04-4248-8e51-94f45d1aa1bb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Matt Jones

Principal Software Engineer

Ansible Tower

[Drew Stinnett]

Not exactly, but it may be related...it looks like that bug report is for the port not getting passed to the SAML request correctly.  In our instance, the protocol (https), port (443) and host (awx.example.com) are all getting passed through incorrectly

I would expect to see the URL listed in the "SAML ASSERTION CONSUMER SERVICE (ACL) URL" field in the config (which is currently correct), to be what is sent as the ACS to the SAML provider, however it's using the 'http://127.0.0.1:80', instead of 'https://awx.example.com'.

I'm happy to open up a github bug report if that's more handy than the mailing list!

On Wednesday, September 27, 2017 at 1:26:42 PM UTC-4, Matthew Jones wrote:

does this look like what you running into? https://github.com/ansible/awx/issues/119

On Wed, Sep 27, 2017 at 12:55 PM, Drew Stinnett <dr...@drewlink.com> wrote:

Hi Gang,

     I'm trying to use SAML authentication on an AWX container that has an apache frontend, however AWX appears to be sending the wrong ACS.

     The apache service is just running TLS, and doing a proxypass to http://127.0.0.1:80. The web interface at https://awx.example.com works fine, and I have set the base url setting to https://awx.example.com.  Under the SAML settings, the ACS shows correctly as "https://awx.example.com/sso/complete/saml", however when I actually try to log in with SAML, AWX is sending "http://127.0.0.1:80/sso/complete/saml/".

     Is there something I'm missing here, to have AWX send the expected ACS?  Thanks!!

Drew

--
You received this message because you are subscribed to the Google Groups "AWX Project" group.

To unsubscribe from this group and stop receiving emails from it, send an email to awx-project...@googlegroups.com.

To post to this group, send email to awx-p...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/f7b5e334-de04-4248-8e51-94f45d1aa1bb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Drew Stinnett]

I'm getting a little further now...I switched over to using nginx to do the SSL bits and proxy back to the container, and the correct ACS is sent.  Now I'm getting the following error though after performing my authentication:

Authentication failed: SAML login failed: ['invalid_response'] (The response was received at https://awx.example.com:8052/sso/complete/saml/ instead of https://awx.example.com/sso/complete/saml/).  

It looks like the container port is getting appended in somewhere it shouldn't be.                   

[idy...@gmail.com]

Hello, I have similar problem , AWX frontend behind nginx sends to saml idp (adfs) http://awx.somedomain.foo/sso/complete/saml instead of
https://awx.somedomain.foo/sso/complete/saml . I would be grateful if you share solution for solve this problem.