SAML Error CSRF Verification Failed. Request aborted.

[Nicholas Tripp]

I setup SAML with Okta

I've followed this

https://www.ansible.com/blog/using-saml-with-red-hat-ansible-tower

tower_URL_base is set, everything is set so backend enables.

The SAML link on login page does the dance to Okta comes back and AWX reports:

CSRF Verification Failed. Request aborted.

then

More information is available with DEBUG=True

Not sure what else to check here.  I have turned the logs up to Debug.  Where should I even be able to see this verbose output? what is this CSRF verification?

[AWX Project]

CSRF is Cross Site Request Forgery at a very high level when you hit AWX for the first time in a browser you get a CSRF cookie and that cookie is used in combination with your session to ensure someone does not try and interject you into the application in a weird way. 

Can you look at the login page with a fresh session and look at the first call to api/ and validate that the response includes a Set-Cookie like:

Set-Cookie:

csrftoken=kSOU2LN8JAHQ76z85zgQ25fdCLcDNwr7yWYAyNFdPwEcrGspxIvQ1POzRfRcdAO6; Path=/; SameSite=Lax

And then validate that when you get back from Okta you have the same token?

If logs are set to debug you should see information when AWX is processing the SAML assertion in the AWX logs but I think invalid CSRF will knock you out before that process happens.

-The AWX Team

[Nicholas Tripp]

I'm using helm chart deploy of awx-operator with nginx lb. Is there some reason that would cause this? 

OID doesn't have an issue, but I can't really do the group mappings I need in there from what I can see. 

--
You received this message because you are subscribed to a topic in the Google Groups "AWX Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/awx-project/fdaImwZsqMs/unsubscribe.
To unsubscribe from this group and all its topics, send an email to awx-project...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/e5d14c50-207a-4511-9d0c-840225f40986n%40googlegroups.com.

[Nicholas Tripp]

also i set logging to Debug in the GUI but the logs showing on the container don't seem any different. Is there some other way I need to turn that on?

[AWX Project]

Hello, 

We have a follow-up question regarding the manner in which you are conducting your ngnix load balancing. Do you have more than one AWX web node behind the load balancer or is it just a front end for a single instance?

When Okta is redirecting you back to AWX are you hitting a load balancer or the node directly?

The DEBUG=True is a development setting and not something we would suggest turning on in production. If you are not running this in a production environment, or if you have a sandbox/testing environment, please let us know and we can further assist you with the steps to enable debugging. 

-AWX Team 

[Nicholas Tripp]

On Fri, Nov 18, 2022 at 1:30 PM AWX Project <awx-p...@googlegroups.com> wrote:

Hello, 

We have a follow-up question regarding the manner in which you are conducting your ngnix load balancing. Do you have more than one AWX web node behind the load balancer or is it just a front end for a single instance?

I'm using node port ingress. I have only 1 awx web node. The ingress is what sets up a trusted certificate and registers DNS.

apiVersion: v1

kind: Service

metadata:

  labels:

    app: awx-demo

  name: awx-demo

  namespace: awx-test

spec:

  type: NodePort

  ports:

    - name: http

      port: 80

      targetPort: 30080

  selector:

    app: awx-demo-service

---

apiVersion: networking.k8s.io/v1

kind: Ingress

metadata:

  name: awx-demo

  namespace: awx-test

  annotations:

    kubernetes.io/ingress.class: "alb"

    alb.ingress.kubernetes.io/target-type: "ip"

    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]'

    alb.ingress.kubernetes.io/certificate-arn: <the cert>

    alb.ingress.kubernetes.io/ssl-redirect: "443"

    alb.ingress.kubernetes.io/enable-cors: "true"

spec:

  rules:

    - host: <some fqdn>

      http:

        paths:

          - path: /

            pathType: Prefix

            backend:

              service:

                name: awx-demo-service

                port:

                  number: 80

When Okta is redirecting you back to AWX are you hitting a load balancer or the node directly?

I believe okta redirects back to the lb 

The DEBUG=True is a development setting and not something we would suggest turning on in production. If you are not running this in a production environment, or if you have a sandbox/testing environment, please let us know and we can further assist you with the steps to enable debugging. 

 

this is my dev/testing instance 

To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/61726386-c4f6-496b-b32a-a6049cb78910n%40googlegroups.com.

[Nicholas Tripp]

I added:

csrf_cookie_secureL 'False'

but doesn't seem like the setting is being applied even though I see it in the last-applied-configuration

[Nicholas Tripp]

still failing with csrf_cookie_secure: 'False'

per documentation ...

how do I get this working?