ansible
Okta Idp SAML login failed: ['invalid_response'] (Signature validation failed. SAML Response rejected).
Please confirm the following
- [X] I agree to follow this project's code of conduct.
- [X] I have checked the current issues for duplicates.
- [X] I understand that the AWX Operator is open source software provided for free and that I might not receive a timely response.
Bug Summary
I have configured SAML within AWX through awx-operator and used below documentation as reference. https://github.com/ansible/awx/blob/devel/docs/auth/saml.md https://github.com/ansible/awx-operator/issues/1284#issuecomment-1876713119 https://medium.com/@sazipkin/setting-up-ansible-tower-with-okta-a132644be980 https://python-social-auth.readthedocs.io/en/latest/backends/saml.html#advanced-settings https://groups.google.com/g/awx-project/c/rlnfNmX-YJE/m/PZQft_xIBQAJ
SAML workflow:
- The AWX (SP) login page shows an option to do saml login
- AWX redirects to Okta Single Sign-On URL
- After Okta login it goes back to AWX login page again and SAML login never works. I verified IdP x509 cert is valid in SAM request
AWX Web container logs: 100.x.x.x - - [25/Jul/2024:01:40:27 +0000] "POST /api/login/ HTTP/1.1" 401 5973 "https://awx.companydomain.net/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36" "10.x.x.x" [pid: 20|app: 0|req: 5/10] 100.x.x.x () {80 vars in 1457 bytes} [Thu Jul 25 01:40:27 2024] POST /api/login/ => generated 5973 bytes in 229 msecs (HTTP/1.1 401) 10 headers in 470 bytes (1 switches on core 0) 100.x.x.x - - [25/Jul/2024:01:40:51 +0000] "GET /sso/login/saml/?idp=okta HTTP/1.1" 302 0 "https://awx.companydomain.net/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36" "10.x.x.x" [pid: 22|app: 0|req: 4/11] 100.x.x.x () {76 vars in 1443 bytes} [Thu Jul 25 01:40:51 2024] GET /sso/login/saml/?idp=okta => generated 0 bytes in 207 msecs (HTTP/1.1 302) 12 headers in 1264 bytes (1 switches on core 0) Signature validation failed. SAML Response rejected 2024-07-25 01:41:32,944 ERROR [f6819bcd33c84644add21d3d89e17e69] social Authentication failed: SAML login failed: ['invalid_response'] (Signature validation failed. SAML Response rejected). 100.x.x.x - - [25/Jul/2024:01:41:32 +0000] "POST /sso/complete/saml/ HTTP/1.1" 302 0 "https://companydomain.okta.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36" "10.x.x.x" [pid: 20|app: 0|req: 8/14] 100.x.x.x () {80 vars in 1512 bytes} [Thu Jul 25 01:41:32 2024] POST /sso/complete/saml/ => generated 0 bytes in 82 msecs (HTTP/1.1 302) 10 headers in 461 bytes (1 switches on core 0) 100.x.x.x - - [25/Jul/2024:01:41:33 +0000] "GET /sso/error/ HTTP/1.1" 301 0 "https://companydomain.okta.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36" "10.x.x.x" [pid: 24|app: 0|req: 1/15] 100.x.x.x () {76 vars in 1463 bytes} [Thu Jul 25 01:41:33 2024] GET /sso/error/ => generated 0 bytes in 79 msecs (HTTP/1.1 301) 10 headers in 463 bytes (1 switches on core 0) 100.x.x.x - - [25/Jul/2024:01:41:33 +0000] "GET / HTTP/1.1" 200 1044 "https://companydomain.okta.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36" "10.x.x.x" [pid: 20|app: 0|req: 9/16] 100.x.x.x () {74 vars in 1443 bytes} [Thu Jul 25 01:41:33 2024] GET / => generated 1044 bytes in 23 msecs (HTTP/1.1 200) 9 headers in 438 bytes (1 switches on core 0) 100.x.x.x - - [25/Jul/2024:01:41:33 +0000] "GET /api/ HTTP/1.1" 200 186 "https://awx.companydomain.net/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36" "10.x.x.x"
AWX Operator version
2.19.0
AWX version
24.6.0
Kubernetes platform
kubernetes
Kubernetes/Platform version
1.29
Modifications
no
Steps to reproduce
- Okta settings: Single Sign-On URL: https://awx.companydomain.net/sso/complete/saml/ Audience URI (SP Entity ID): https://awx.companydomain.net Default RelayState: (Nothing is here) Name ID Format: Unspecified Application Username: Okta Username
Advanced Settings: Response: Signed Assertion Signature: Signed Signature Algorithm: RSA-SHA256 Digest Algorithm: SHA256 Assertion Encryption: Unencrypted Single Logout: Not Enabled
Attribute Statements (with Name Format Unspecified): FirstName LastName Email UserName
Okta Attribute Values: user.firstName user.lastName user.email user.login
Group Attribute Statements (with Name Format Unspecified): Groups
Okta Group Attribute Values: .*
-
AWX settings: extra_settings:
- setting: TOWER_URL_BASE value: '"https://awx.companydomain.net"'
- setting: SOCIAL_AUTH_SAML_SP_ENTITY_ID value: '"https://awx.companydomain.net"'
- setting: SOCIAL_AUTH_SAML_ORG_INFO value: { "en-US": { "name": "Ansible AWX", "url": "https://awx.companydomain.net", "displayname": "Ansible AWX" } }
- setting: SOCIAL_AUTH_SAML_SP_PUBLIC_CERT value: '"-----BEGIN CERTIFICATE-----\nONELINECERT-----\nEND CERTIFICATE-----"'
- setting: SOCIAL_AUTH_SAML_SP_PRIVATE_KEY value: '"-----BEGIN PRIVATE KEY-----\nONELINECERT-----\nEND PRIVATE KEY-----"'
- setting: SOCIAL_AUTH_SAML_TECHNICAL_CONTACT value: { "emailAddress": "it-devops@companydomain", "givenName": "okta user fName lName" }
- setting: SOCIAL_AUTH_SAML_SUPPORT_CONTACT value: { "emailAddress": "it-devops@companydomain", "givenName": "okta user fName lName" }
- setting: SOCIAL_AUTH_SAML_SECURITY_CONFIG value: { "requestedAuthnContext": false }
- setting: SOCIAL_AUTH_SAML_SP_EXTRA value: {}
- setting: SOCIAL_AUTH_SAML_EXTRA_DATA value: []
- setting: SOCIAL_AUTH_SAML_ENABLED_IDPS value: { "okta": { "entity_id": "http://www.okta.com/<uniqueAppId>", "url": "https://companydomain.okta.com/app/<appName>/<uniqueAppId>/sso/saml", "x509cert": "ONELINECERT", "attr_first_name": "FirstName", "attr_last_name": "LastName", "attr_email": "Email", "attr_username": "UserName", "attr_user_permanent_id": "Email" } }
- setting: SOCIAL_AUTH_SAML_ORGANIZATION_MAP value: { "Default": { "users": true } }
- setting: SOCIAL_AUTH_SAML_TEAM_MAP value: {}
- setting: SOCIAL_AUTH_SAML_ORGANIZATION_ATTR value: {}
- setting: SOCIAL_AUTH_SAML_TEAM_ATTR value: {}
- setting: SOCIAL_AUTH_SAML_USER_FLAGS_BY_ATTR value: {}
Note: Used
awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' certfilenameto output single line certificate -
Okta SAML login from AWX fails and redirects to AWX login page
Expected results
SAML login should work
Actual results
social Authentication failed: SAML login failed: ['invalid_response'] (Signature validation failed. SAML Response rejected) and redirects to AWX login page
Additional information
No response
Operator Logs
No response
