AWX SAML authentication with Okta - RelayState

trippinnik · July 25, 2024, 2:48pm

"POST /sso/complete/saml HTTP/1.1" 301 5 "https://company.okta.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 Edg/126.0.0.0" "10.96.64.109"

2024-07-25 14:40:18,557 ERROR [f924a3e35ad645a5857549526349008b] social 'RelayState'.

I am following:
21. Setting up Enterprise Authentication — Ansible AWX community documentation

I set the RelayState in Okta to “okta” as I named it in AWX and it did not change the result. What does RelayState need to be? The other post in the forums about RelayState said it was on the okta side but did not explain what was fixed.

tvo318 · July 25, 2024, 5:21pm

Hi @trippinnik - have you looked at this discussion? Okta saml auth error social 'RelayState'. It appears to be a trailing “/” was what was breaking this.

trippinnik · July 25, 2024, 5:46pm

Thats the post i mentioned. If you read the post it explains that the issue was ‘on okta side’ before that was the trailing slash.

The post doesnt really provide helpful information to anyone having the same problem.

trippinnik · July 29, 2024, 7:58pm

Bump. No one has experience getting SAML working? documentation is lacking important specifics and the only other post about the same error gives no solution

Denney-tech · July 29, 2024, 9:00pm

I have not set up SAML with AWX before (Okta or otherwise), so I cannot help you. @jdp11d might be able to help and answer questions since he did this recently.

It’s not clear to me if it was the presence or the absence of the trailing slash “/” that caused an issue; however, aside from the “/” issue, it may be prudent for you and/or your Okta Admin to go over the following guide:

Setting Up Ansible Tower with Okta | by Sarah | Medium

trippinnik · July 29, 2024, 9:11pm

I’ve read the guide as I mentioned. I don’t know why you’re replying if you can’t provide anything useful to the issue.

Denney-tech · July 29, 2024, 9:23pm

It isn’t clear what you have or haven’t done. You haven’t provided any snippets of your configurations on either the AWX or Okta side. The very post you claim has no solution claims that guide was all they needed besides fixing the trailing slash.

You’re going to have to do the legwork to show us that you (and your Okta admin) have followed everything exactly the same as @jdp11d and their Okta admin did.

trippinnik · July 29, 2024, 9:28pm

I have details above, the trailing slash issue isnt specified as to where and in the post there is mention of first it was trailing slash and then it was relaystate

Ive posted the exact error from the logs and explained that the guide does not give details on what exactly is meant to be entered on the okta side for relay state.

If youd like to be useful, try reading the details instead of posting things you havent read and dont understand

Denney-tech · July 29, 2024, 9:33pm

Have you added the X_FORWARDED options to AWX?

USE_X_FORWARDED_PORT = True
USE_X_FORWARDED_HOST = True

trippinnik · July 29, 2024, 9:36pm

Yes, those are relevant for csrf issues and I have those settings.

The issue is relaystate.

Denney-tech · July 29, 2024, 9:51pm

If I had to guess, the Single sign on URL: in Okta needs to have the trailing slash, while the entity_id and url options on AWX may or may not need to have the trailing slash.

trippinnik · August 1, 2024, 4:59pm

I think you are hung up on trailing ‘/’ that is mentioned, but I think you are missing the past perfect tense. The trailing slash issue was resolved AND then Okta admin did something

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" cacheDuration="P10D" entityID="https://my-awx-url">
<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>cert</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://my-awx-url/sso/complete/saml/" index="1"/>
</md:SPSSODescriptor>
<md:Organization>
<md:OrganizationName xml:lang="en-US">AWX</md:OrganizationName>
<md:OrganizationDisplayName xml:lang="en-US">AWX</md:OrganizationDisplayName>
<md:OrganizationURL xml:lang="en-US">my-awx-url</md:OrganizationURL>
</md:Organization>
<md:ContactPerson contactType="technical">
<md:GivenName>name</md:GivenName>
<md:EmailAddress>email address</md:EmailAddress>
</md:ContactPerson>
<md:ContactPerson contactType="support">
<md:GivenName>name</md:GivenName>
<md:EmailAddress>email address</md:EmailAddress>
</md:ContactPerson>
</md:EntityDescriptor>

for SAML Enabled Identity Providers

{
  "okta": {
    "entity_id": "http://okta-entity-id/",
    "url": "https://okta-url/sso/saml/",
    "x509cert": "-----BEGINCERTIFICATE-----cert-----ENDCERTIFICATE-----"
  }
}

What else would you find useful?

Denney-tech · August 1, 2024, 5:21pm

Thank you for providing more context of what you have done. I realize that I have been focusing on the slash a little, but that is the only information/reference we had to go on that was confusing.

Your SAML config for AWX appears to be missing some required fields, as mentioned by @jbird. @jdp11d ended up adding additional fields in his response.

Okta saml auth error social 'RelayState'

{
  “okta”: {
    “attr_user_permanent_id”: “urn:oid:1.3.6.1.4.1.5555.610.2.2.1.11”,
    “attr_username”: “urn:oid:1.3.6.1.4.1.5555.610.2.2.1.11”,
    “entity_id”: “”, 
    “url”: “”,
    “x509cert”: “”
    }
}

Okta saml auth error social 'RelayState'

{
  "okta": {
    "attr_user_permanent_id": "name_id",
    "attr_first_name": "User.FirstName",
    "attr_last_name": "User.LastName",
    "attr_username": "User.email",
    "attr_email": "User.email",
    "entity_id": "http://www.okta.com/<ID>",
    "url": "https://okta.com/app/<NAME>/<ID>/sso/saml",
    "x509cert": "<CERT FROM OKTA>"
  }
}

Your issue may just be missing fields, but you also have trailing slashes where @jdp11d does not (entity_id and url). That doesn’t mean yours or his are incorrect, just that I have no confidence in which is correct or if it even matters here on the AWX side.

Edit: And I think the “error on Okta’s side” that his “Okta admin” fixed, was simply the URL/URI settings in the following sample:

Platform: Web
Single Sign On Method: SAML 2.0
Application Name: Company-Ansible-Tower
Single sign on URL: https://ansibletower.company.com/sso/complete/saml/
Audience URI (SP Entity ID): https://ansibletower.company.com

If that’s not the case, then we need @jdp11d to clarify.

And if adding the missing fields to your AWX config is not enough to resolve the issue, then I don’t have any further suggestions that I can think of to help.

trippinnik · August 1, 2024, 6:28pm

on the Okta side “Audience Restriction” was not set to the AWX base URL.

After that

  "attr_email": "urn:oid:0.9.2342.19200300.100.1.3",
    "attr_username": "urn:oid:0.9.2342.19200300.100.1.1",
    "attr_last_name": "urn:oid:2.5.4.4",
    "attr_first_name": "urn:oid:2.5.4.42",
    "attr_user_permanent_id": "urn:oid:0.9.2342.19200300.100.1.1"

SAML attributes could be mapped

Denney-tech · August 1, 2024, 9:42pm

Does that mean your SAML is working now?

system · August 31, 2024, 9:43pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.