awx
awx copied to clipboard
Unable to create organization admin using SAML based SSO Authn and Authz
Please confirm the following
- [X] I agree to follow this project's code of conduct.
- [X] I have checked the current issues for duplicates.
- [X] I understand that AWX is open source software provided for free and that I might not receive a timely response.
Bug Summary
Requirement: Integrate AWX with SAML SSO and enable RBAC (SSO user and AWX org/team mapping)
We need multiple organizations and multiple teams in AWX. We have groups(DL) in Azure AD. A user is part of more than one AD group ex. I am part of 50+ AD groups. A certain group in AD wants to use our AWX instance. For Authn and Authz we have decided to use SAML-based SSO. We have to not use LDAP-based SSO for security reasons. We can't use the Azure AD option as it does not allow group/dl mapping in the team_org map.
So I followed this guide to configure the SAML in AWX which involves creating the Enterprise application in Azure AD, creating attributes and claims in AD, configuring the URLs and Certificates, etc. All done. We are able to log in to AWX. Authentication is working perfectly fine. No issue.
The problem we facing in Authorization.
SAML TEAM ATTRIBUTE MAPPING:
"saml_attr": "User.groups",
"team_org_map": [
{
"team_alias": "team1",
"team": "group1-id", #
"organization": "myOrg"
}
],
"remove": true
}
User.groups
returns the list of group ids the user is part of so I am using the team_alias to give the friendly name to the team. This mapping creates the user under a team and it does not have any permission to create/execute resources in the respective organization after logging in. I want to create that user as admin of the organization so that he can do anything in myOrg
or he has permission to do anything in resp myOrg
.
Can someone assist on this issue, please?
AWX version
12.0.0
Select the relevant components
- [X] UI
- [ ] API
- [X] Docs
- [ ] Collection
- [ ] CLI
- [X] Other
Installation method
kubernetes
Modifications
no
Ansible version
2.9.9
Operating system
Ubuntu
Web browser
Chrome
Steps to reproduce
Follow the doc: https://docs.ansible.com/ansible-tower/latest/html/administration/ent_auth.html#id4
Expected results
After signing in user should be an admin of the org or he has permission to do anything in the org. All this should be driven from team_org mapping or any other configuration that can be used in SAML config.
Actual results
The user is getting created as a normal user under a team who does not have permission to do anything.User
Additional information
No response
According to the latest SAML docs, to add a user as an org admin you need the configuration to include the admins
field in the organization mapping. See list item 11 and 12 of https://docs.ansible.com/automation-controller/latest/html/administration/ent_auth.html#saml-settings for more details in addition to https://docs.ansible.com/automation-controller/latest/html/administration/social_auth.html#ag-org-team-maps.
Unfortunately, I don't have specific documentation for version 12 nor do I have a version 12 instance to test this with. If this does not work in version 12 of AWX it will be hard to tell if this is a bug in that version or just not a feature that was in that version.
Please try adding that setting to your configuration (if applicable) to see if it works? If it does not work can you try installing the latest version of AWX and setting up the SAML configuration there to see if it works?
I have checked SAML ORGANIZATION MAP
and SAML TEAM MAP
problem with this configuration is It accepts only a list of email addresses and usernames for admins
and users
.
{
"Test Org": {
"admins": ["[email protected]", "[email protected]", "[email protected]"],
"users": true
}
}
There is no way to map the AD group or dl as the organization admin/user same for the team. We can't create users under a team from the AD group. Assume a case where we have 10000 users in an AD group and we want all of them as org admin or org user in that case maintaining the list of 10000 users is not a scalable/maintainable option.
This is possible using LDAP integration though but we do not use it for security concerns - https://docs.ansible.com/automation-controller/latest/html/administration/ldap_auth.html#ldap-organization-and-team-mapping
How LDAP org/team mapping works we want the same using SAML.
{
"LDAP Organization": {
"admins": "cn=engineering_admins,ou=groups,dc=example,dc=com",
"remove_admins": false,
"users": [
"cn=engineering,ou=groups,dc=example,dc=com",
"cn=sales,ou=groups,dc=example,dc=com",
"cn=it,ou=groups,dc=example,dc=com"
],
"remove_users": false
},
Here, we are able to pass the group name as admin and the list of groups as users.
Thanks for the clarification on this.
Any news on whether this feature will make it in any time soon? This would be great to have. Basically allow us to move away from LDAP to SAML for enterprise authentication and authorization by adding feature parity.
@hari-hud we can achieve this in Ansible Tower 3.8 by setting the Org Map like this
{
"CN=Ansible Tower Org Admins,OU=Common,OU=Groups,DC=contoso,DC=com": {
"organization_alias": "Contoso"
}
And then by setting the saml_admin_attr
value in the Org Attributes
{
"remove_admins": true,
"saml_admin_attr": "org-admins"
}
Where org-admins
is an attribute passed by the SAML provider, which maps to the LDAP DN in the Org Map.
When we do this, members of the Org Admins LDAP group are given Org Admin permissions on Tower. However this functionality changed in the latest release of AAP2.3 and it seems like AAP is ignoring the saml_admin_attr
parameter.