AWX integration with Okta
930 views
Skip to first unread message
Angel Rengifo Cancino
Feb 4, 2021, 12:28:49 PM2/4/21
to AWX Project
Hi guys:
Does anybody know how to properly configure AWX SAML authentication with Okta? I'm struggling with this matter because AWX (v15.0.1) shows me this in log file:
"ERROR social Authentication failed: SAML login failed: ['invalid_response'] (There is no AttributeStatement on the Response)."
or this:
"WARNING awx.sso.backends Could not map user detail 'first_name' from SAML attribute 'FirstName'; update SOCIAL_AUTH_SAML_ENABLED_IDPS['okta']['attr_first_name'] with the correct SAML attribute"
I'm not pretty sure how can I debug this. If anybody has some ideas, please help.
Thanks in advance
Marek Z
Apr 6, 2021, 11:33:35 AM4/6/21
to AWX Project
Hi.
Try following this article: https://access.redhat.com/solutions/4618191 (how to get access: https://old.reddit.com/r/sysadmin/comments/5136ty/anyone_has_access_to_redhats_knowledgebase/d78xsj2/ )
As for that error:
Under the advanced settings field, add the following:
{"security": { "wantAttributeStatement": false }}Not sure if it'll be enough - still struggling with it myself.
--Marek
Angel Rengifo Cancino
Apr 6, 2021, 11:39:52 AM4/6/21
to Marek Z, AWX Project
Thanks a lot for your response.
On Tue, Apr 6, 2021 at 10:33 AM Marek Z <zzz...@gmail.com> wrote:
Hi.Try following this article: https://access.redhat.com/solutions/4618191 (how to get access: https://old.reddit.com/r/sysadmin/comments/5136ty/anyone_has_access_to_redhats_knowledgebase/d78xsj2/ )As for that error:Under the advanced settings field, add the following:
{"security": { "wantAttributeStatement": false }}
In the end I didn't need to make such change or any other special changes. My problem occurred due to a incorrect configuration of the App in Okta. Once that was fixed, AWX was able to successfully login through Okta.
Daniel@Vistra
Apr 6, 2021, 5:01:11 PM4/6/21
to AWX Project
I would really like to see what you did... I have tried various ways and times to configure it.
Thank you
Daniel
Angel Rengifo Cancino
Apr 7, 2021, 7:39:43 AM4/7/21
to Daniel@Vistra, AWX Project
Hi
On Tue, Apr 6, 2021 at 4:01 PM Daniel@Vistra <daniel...@vistracorp.com> wrote:
I would really like to see what you did... I have tried various ways and times to configure it.
These are my working settings:
- SAML SERVICE PROVIDER PUBLIC CERTIFICATE: I've pasted here the PEM certificate attached to the load balancer in front of AWX.
- SAML SERVICE PROVIDER PRIVATE KEY: I was never sure how this works or how it was used. As I didn't have access to the private key of the certificate -because I was using a certificate from ACM- I've just pasted any private key created with openssl.
- SAML SERVICE PROVIDER ORGANIZATION INFO:
{
"en-US": {
"name": "any-org-name",
"url": "https://awx.at.mydomain.com",
"displayname": "Whatever you want"
}
"en-US": {
"name": "any-org-name",
"url": "https://awx.at.mydomain.com",
"displayname": "Whatever you want"
}
}
- SAML SERVICE PROVIDER TECHNICAL CONTACT:
- SAML SERVICE PROVIDER SUPPORT CONTACT:
- SAML ENABLED IDENTITY PROVIDERS
{
"my-okta-idp-name": {
"entity_id": "http://www.okta.com/A-VALID-ENTITY-ID",
"attr_username": "userName",
"attr_first_name": "firstName",
"attr_user_permanent_id": "name_id",
"url": "https://YOUR-ORG-OKTA-NAME.okta.com/app/OKTA-APP-NAME/A-VALID-ENTITY-ID/sso/saml",
"attr_last_name": "lastName",
"attr_email": "Email",
"x509cert": "OKTAAPP-PEM-CERTIFICATE-CONTENT-IN-ONE-SINGLE-LINE-WITHOUT-SPACES"
}
}
"my-okta-idp-name": {
"entity_id": "http://www.okta.com/A-VALID-ENTITY-ID",
"attr_username": "userName",
"attr_first_name": "firstName",
"attr_user_permanent_id": "name_id",
"url": "https://YOUR-ORG-OKTA-NAME.okta.com/app/OKTA-APP-NAME/A-VALID-ENTITY-ID/sso/saml",
"attr_last_name": "lastName",
"attr_email": "Email",
"x509cert": "OKTAAPP-PEM-CERTIFICATE-CONTENT-IN-ONE-SINGLE-LINE-WITHOUT-SPACES"
}
}
* An Entity ID is usually an alphanumeric random string generated for your Okta App
- SAML ORGANIZATION MAP. This might be different depending on your needs
{
"MY-AWX-ORG-NAME": {
"admins": true,
"users": true
}
}
"MY-AWX-ORG-NAME": {
"admins": true,
"users": true
}
}
- All other SAML settings are set to their default values
Optionally, under "Settings -> System" for the section "LOGIN REDIRECT OVERRIDE URL" I've set "/sso/login/saml/?idp=my-okta-idp-name" as value
Hope it helps
--
You received this message because you are subscribed to the Google Groups "AWX Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to awx-project...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/16e79a4a-8517-4b3b-8b9c-c5fd4f4ce4a9n%40googlegroups.com.
Daniel@Vistra
Apr 15, 2021, 5:17:38 PM4/15/21
to AWX Project
Thank you. I will look into this and see what I can do...
Daniel@Vistra
Apr 15, 2021, 5:20:04 PM4/15/21
to AWX Project
Was this in a specific file? I have been trying to configure from the AWX Gui.
Reply all
Reply to author
Forward
0 new messages