SAML Auth from behind Apache Reverse Proxy

Hi Gang,
I’m trying to use SAML authentication on an AWX container that has an apache frontend, however AWX appears to be sending the wrong ACS.

The apache service is just running TLS, and doing a proxypass to http://127.0.0.1:80. The web interface at https://awx.example.com works fine, and I have set the base url setting to https://awx.example.com. Under the SAML settings, the ACS shows correctly as “https://awx.example.com/sso/complete/saml”, however when I actually try to log in with SAML, AWX is sending “http://127.0.0.1:80/sso/complete/saml/”.

Is there something I’m missing here, to have AWX send the expected ACS? Thanks!!

Drew

does this look like what you running into? https://github.com/ansible/awx/issues/119

Not exactly, but it may be related…it looks like that bug report is for the port not getting passed to the SAML request correctly. In our instance, the protocol (https), port (443) and host (awx.example.com) are all getting passed through incorrectly

I would expect to see the URL listed in the “SAML ASSERTION CONSUMER SERVICE (ACL) URL” field in the config (which is currently correct), to be what is sent as the ACS to the SAML provider, however it’s using the ‘http://127.0.0.1:80’, instead of ‘https://awx.example.com’.

I’m happy to open up a github bug report if that’s more handy than the mailing list!

I’m getting a little further now…I switched over to using nginx to do the SSL bits and proxy back to the container, and the correct ACS is sent. Now I’m getting the following error though after performing my authentication:

Authentication failed: SAML login failed: [‘invalid_response’] (The response was received at https://awx.example.com:8052/sso/complete/saml/ instead of https://awx.example.com/sso/complete/saml/).

It looks like the container port is getting appended in somewhere it shouldn’t be.

Hello, I have similar problem , AWX frontend behind nginx sends to saml idp (adfs) http://awx.somedomain.foo/sso/complete/saml instead of
https://awx.somedomain.foo/sso/complete/saml . I would be grateful if you share solution for solve this problem.