AWX integration with Okta

Hi guys:

Does anybody know how to properly configure AWX SAML authentication with Okta? I’m struggling with this matter because AWX (v15.0.1) shows me this in log file:

“ERROR social Authentication failed: SAML login failed: [‘invalid_response’] (There is no AttributeStatement on the Response).”

or this:

“WARNING awx.sso.backends Could not map user detail ‘first_name’ from SAML attribute ‘FirstName’; update SOCIAL_AUTH_SAML_ENABLED_IDPS[‘okta’][‘attr_first_name’] with the correct SAML attribute”

I’m not pretty sure how can I debug this. If anybody has some ideas, please help.

Thanks in advance

Hi.

Try following this article: https://access.redhat.com/solutions/4618191 (how to get access: https://old.reddit.com/r/sysadmin/comments/5136ty/anyone_has_access_to_redhats_knowledgebase/d78xsj2/ )
As for that error:
https://help.ftrack.com/en/articles/1430063-single-sign-on-via-saml

Under the advanced settings field, add the following:

{“security”: { “wantAttributeStatement”: false }}

Not sure if it’ll be enough - still struggling with it myself.

–Marek

Thanks a lot for your response.

I would really like to see what you did… I have tried various ways and times to configure it.

Thank you
Daniel

Hi

I would really like to see what you did… I have tried various ways and times to configure it.

These are my working settings:

• SAML SERVICE PROVIDER PUBLIC CERTIFICATE: I’ve pasted here the PEM certificate attached to the load balancer in front of AWX.
• SAML SERVICE PROVIDER PRIVATE KEY: I was never sure how this works or how it was used. As I didn’t have access to the private key of the certificate -because I was using a certificate from ACM- I’ve just pasted any private key created with openssl.
• SAML SERVICE PROVIDER ORGANIZATION INFO:
  {
  “en-US”: {
  “name”: “any-org-name”,
  “url”: “https://awx.at.mydomain.com”,
  “displayname”: “Whatever you want”
  }

}

• SAML SERVICE PROVIDER TECHNICAL CONTACT:
  {
  “emailAddress”: “technician@mydomain.com”,
  “givenName”: “any-name”
  }

• SAML SERVICE PROVIDER SUPPORT CONTACT:
  {
  “emailAddress”: “it-support@mydomain.com”,
  “givenName”: “any-name”
  }

• SAML ENABLED IDENTITY PROVIDERS
  {
  “my-okta-idp-name”: {
  “entity_id”: “http://www.okta.com/A-VALID-ENTITY-ID”,
  “attr_username”: “userName”,
  “attr_first_name”: “firstName”,
  “attr_user_permanent_id”: “name_id”,
  “url”: “https://YOUR-ORG-OKTA-NAME.okta.com/app/OKTA-APP-NAME/A-VALID-ENTITY-ID/sso/saml”,
  “attr_last_name”: “lastName”,
  “attr_email”: “Email”,
  “x509cert”: “OKTAAPP-PEM-CERTIFICATE-CONTENT-IN-ONE-SINGLE-LINE-WITHOUT-SPACES”
  }
  }

• An Entity ID is usually an alphanumeric random string generated for your Okta App

• SAML ORGANIZATION MAP. This might be different depending on your needs
  {
  “MY-AWX-ORG-NAME”: {
  “admins”: true,
  “users”: true
  }
  }
• All other SAML settings are set to their default values

Optionally, under “Settings → System” for the section “LOGIN REDIRECT OVERRIDE URL” I’ve set “/sso/login/saml/?idp=my-okta-idp-name” as value

Hope it helps

Thank you. I will look into this and see what I can do…

Was this in a specific file? I have been trying to configure from the AWX Gui.