Hello,
I’m familiar with the SAML protocol and 'm trying to set up SAML authentication between AWX as SP and lemonldap as IDP.
I followed the instructions here https://docs.ansible.com/ansible-tower/latest/html/administration/ent_auth.html
I succeded in establishing an SAML auth but only by byppassing Attributes Mapping with “wantAttributeStatement”: false in the SAML security configuration. But i’m logged with a random ID.
So I know my setup is correct on the remote IDP
I can see that the NameID (we use it on lemonldap side) is correctly fulfilled with my username (uid)
The fact is when this is enabled, i get the following error on AWX after authentication:
Authentication failed: SAML login failed: [‘invalid_response’] (There is no AttributeStatement on the Response).
Here is my setup
SOCIAL_AUTH_SAML_ENABLED_IDPS
“MY_IDP”: {
“attr_email”: “User.mail”,
“attr_username”: “User.uid”,
“attr_first_name”: “User.givenName”,
“x509cert”: "XXXX,
“attr_last_name”: “User.givenName”,
“url”: “https://mysso.com/saml/singleSignOn”,
“attr_user_permanent_id”: “name_id”,
“entity_id”: “https://mysso.com/saml/metadata”
}
}
SAML ORGANISATION MAP:
{
“Default”: {
“remove_users”: true,
“remove_admins”: true,
“users”: true
},
“Systems Engineering”: {
“remove_users”: true,
“users”: true,
“admins”: [
“user1”,
“user2”,
“user3”,
“user4”
],
“remove_admins”: true
}
}
SAML Organization Attribute Mapping
{
“saml_attr”: “uid”,
“saml_admin_attr”: “admin-of”,
“remove_admins”: true,
“remove”: true
}
SAML TEAM MAP:
{
“My Team”: {
“users”: [
“/[1]+?@test\.example\.com$/”
],
“organization”: “MyCompany”,
“remove”: true
},
“Other Team”: {
“users”: [
“/[2]+?@test\.example\.com$/”
],
“organization”: “Test Org 2”,
“remove”: false
}
}
I guess the problem comes from the “SAML Organization Attribute Mapping” section. I understand i have to setup an attribute mapping in order to match my remote NameID (uid) to AWX user ID.
But how does it work? The documentation example does not work even if we copy/paste it… 
Any help would be appreciated !
Regards