AWX is the upstream version for Ansible Tower.
This documentation explains how to interconnect LemonLDAP::NG and AWX using SAML 2.0 protocol.
You can find the Official AWX documentation about this topic here : https://docs.ansible.com/ansible-tower/latest/html/administration/ent_auth.html#saml-authentication-settings Please read it before the LLNG doc.
This page assumes you already have configured the SAML Service in LemonLDAP::NG, if not please follow : SAML service configuration
You’ll need a private key and the corresponding certificate to setup saml in AWX, you can do it with your pki or with openssl on your machine :
openssl req -x509 -newkey rsa:4096 -keyout saml-awx.key -out saml-awx.crt -days 3650 -nodes
AWX need a certificate for the IDP signature, a public key won’t work. You can either just generate a certificate from the private key and put it in AWX conf, or you can do it globally.
You can find your private key in : SAML2 Service -> Security Parameters -> Signature -> Private Key
Copy it somewhere secure as lemonldap.key, and then generate the certificate with this command :
openssl req -new -x509 -days 3650 -key lemonldap.key > lemonldap.crt
After that, if you want, you can replace your SAML public key with this certificate in LLNG configuration, this is not mandatory.
You’ll need an administrator account, then go to Settings -> Authentication -> SAML
There is a few settings :
This is the entityID for awx, lets put the fqdn : awx.example.com
Put the content of saml-awx.crt
-----BEGIN CERTIFICATE-----
cert
-----END CERTIFICATE-----
Put the content of saml-awx.key
-----BEGIN RSA PRIVATE KEY-----
key
-----END RSA PRIVATE KEY-----
It will be replaced with $encrypted$
after you save the settings.
Organization Info for The SP, this is purely “for looks”
{
"en-US": {
"displayname": "AWX ACME",
"url": "https://awx.example.com",
"name": "awxacme"
}
}
Technical Contact for the SP
{
"emailAddress": "support@example.com",
"givenName": "Support ACME"
}
Support Contact for the SP
{
"emailAddress": "support@example.com",
"givenName": "Support ACME"
}
This is the configuration of the IdP :
{
"lemonldap": {
"attr_last_name": "sn",
"x509cert": "SOXGp.....",
"attr_username": "uid",
"entity_id": "https://auth.example.com/saml/metadata",
"attr_first_name": "givenName",
"attr_email": "mail",
"attr_user_permanent_id": "uid",
"url": "https://auth.example.com/saml/singleSignOn"
}
}
lemonldap.crt
generated
in the “LLNG SAML Certificate” sectionSave your configuration.
We now have to define a service provider in LL:NG.
Go to “SAML service providers”, click on “Add SAML SP” and name it as you want (example : ‘AWX’)
In the new subtree ‘AWX’, open ‘Metadata’ and paste the content of the
AWX Metadatas, wich can be found at the
SAML Service Provider Metadata URL
in AWX :
https://awx.example.com/sso/metadata/saml/
Now go in “Exported attributes” and add, the ‘uid’, ‘sn’, ‘givenName’, ‘mail’.
All four attributes are mandatory for AWX. Make sure they match the names of the attributes available in your LemonLDAP sessions.
Don’t forget to save your configuration.
You are now good to go, and you can add the application in your menu and your virtual hosts.
You should now have a SAML button on the login page :