Okta saml auth error social 'RelayState'

Hi Jeff! Thank you for your reply. Sorry for late reply I was out on a work trip.

I was able to follow the steps you suggested. by adding the following to my awx config.

---
apiVersion: awx.ansible.com/v1beta1
kind: AWX
metadata:
  name: awx-mgmt
spec:
  secret_key_secret: awx-mgmt-secret-key
  extra_settings:
    - setting: USE_X_FORWARDED_HOST
      value: "True"
---
apiVersion: v1
kind: Secret
metadata:
  name: awx-mgmt-secret-key
  namespace: awx
stringData:
  secret_key: 
---
apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
  name: ca
  namespace: awx
spec:
  securityPolicy:
    name: internal-networks
---
apiVersion: v1
kind: Service
metadata:
  annotations:
    beta.cloud.google.com/backend-config: '{"ports": {"80":"ca"}}'
  name: awx-mgmt-manual-service
  namespace: awx
  labels:
    app: awx-mgmt
spec:
  ports:
    - port: 80
      name: http
      targetPort: 8052
      protocol: TCP
  selector:
    app.kubernetes.io/component: awx
    app.kubernetes.io/managed-by: awx-operator
    app.kubernetes.io/name: awx-mgmt-web
  type: NodePort
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: awx-mgmt-manual-ingress
  namespace: awx
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
    acme.cert-manager.io/http01-edit-in-place: "true"
    kubernetes.io/ingress.allow-http: "true"
spec:
  tls:
    - hosts:
        - awx-mgmt.com
      secretName: awx-mgmt-tls
  rules:
    - host: awx-mgmt.prd.it.com
      http:
        paths:
          - path: /*
            pathType: ImplementationSpecific
            backend:
              service:
                name: awx-mgmt-manual-service
                port:
                  name: http


here is settings.py file

bash-5.1$ tail -n 10 /etc/tower/settings.py

USE_X_FORWARDED_PORT = True
BROADCAST_WEBSOCKET_PORT = 8052
BROADCAST_WEBSOCKET_PROTOCOL = 'http'


RECEPTOR_LOG_LEVEL = 'info'


USE_X_FORWARDED_HOST = True

Regarding the missing field I removed them for security but I will paste below what I have now with some dummy data.

{
  "okta": {
    "attr_user_permanent_id": "name_id",
    "attr_first_name": "User.FirstName",
    "attr_last_name": "User.LastName",
    "attr_username": "User.email",
    "attr_email": "User.email",
    "entity_id": "http://www.okta.com/<ID>",
    "url": "https://okta.com/app/<NAME>/<ID>/sso/saml",
    "x509cert": "<CERT FROM OKTA>"
  }
}

I also went ahead and restarted my node and it was to the same results as before relay error.

I tried upgrading our dev to current latest version and I also seem to be getting an error there but that one seems a bit different

That error takes me to the following page instead.

I am starting to think this is perhaps an issue on how I set my ingress/service. I will keep playing around with it. If I find something Ill post here.

Dev I setup a bit different using AWX operator to set up ingress see below.

---
apiVersion: awx.ansible.com/v1beta1
kind: AWX
metadata:
  name: awx-poc
spec:
  no_log: false
  csrf_cookie_secure: 'False'
  session_cookie_secure: 'False'
  secret_key_secret: awx-poc-secret-key
  service_type: NodePort
  service_annotations: |
    environment: sandbox
    beta.cloud.google.com/backend-config: '{"ports": {"80":"ca"}}'
  ingress_type: ingress
  ingress_hosts:
    - hostname: awx-poc.com
      tls_secret: sample-tls-secret
  ingress_annotations: |
    environment: sandbox
    cert-manager.io/cluster-issuer: letsencrypt
    acme.cert-manager.io/http01-edit-in-place: "true"
    kubernetes.io/ingress.allow-http: "true"
  extra_settings:
    - setting: USE_X_FORWARDED_HOST
      value: "True"
    - setting: LOG_AGGREGATOR_LEVEL
      value: "'DEBUG'"
  # error with debug level
  extra_volumes: |
    - name: awx-web-debug
      emptyDir: {}
  web_extra_volume_mounts: |
    - name: awx-web-debug
      mountPath: "/var/log/tower"
---
apiVersion: v1
kind: Secret
metadata:
  name: awx-poc-secret-key
  namespace: awx-poc
stringData:
  secret_key: key
---
apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
  name: ca
  namespace: awx-poc
spec:
  securityPolicy:
    name: internal-networks

Thank you,
jdp1