SAML Auth from behind Apache Reverse Proxy

Drew_Stinnett · September 27, 2017, 4:55pm

Hi Gang,
I’m trying to use SAML authentication on an AWX container that has an apache frontend, however AWX appears to be sending the wrong ACS.

The apache service is just running TLS, and doing a proxypass to http://127.0.0.1:80. The web interface at https://awx.example.com works fine, and I have set the base url setting to https://awx.example.com. Under the SAML settings, the ACS shows correctly as “https://awx.example.com/sso/complete/saml”, however when I actually try to log in with SAML, AWX is sending “http://127.0.0.1:80/sso/complete/saml/”.

Is there something I’m missing here, to have AWX send the expected ACS? Thanks!!

Drew

matburt · September 27, 2017, 5:26pm

does this look like what you running into? https://github.com/ansible/awx/issues/119

Drew_Stinnett · September 27, 2017, 5:35pm

Not exactly, but it may be related…it looks like that bug report is for the port not getting passed to the SAML request correctly. In our instance, the protocol (https), port (443) and host (awx.example.com) are all getting passed through incorrectly

I would expect to see the URL listed in the “SAML ASSERTION CONSUMER SERVICE (ACL) URL” field in the config (which is currently correct), to be what is sent as the ACS to the SAML provider, however it’s using the ‘http://127.0.0.1:80’, instead of ‘https://awx.example.com’.

I’m happy to open up a github bug report if that’s more handy than the mailing list!

Drew_Stinnett · October 16, 2017, 3:07pm

I’m getting a little further now…I switched over to using nginx to do the SSL bits and proxy back to the container, and the correct ACS is sent. Now I’m getting the following error though after performing my authentication:

Authentication failed: SAML login failed: [‘invalid_response’] (The response was received at https://awx.example.com:8052/sso/complete/saml/ instead of https://awx.example.com/sso/complete/saml/).

It looks like the container port is getting appended in somewhere it shouldn’t be.

idyurev · December 19, 2017, 6:19pm

Hello, I have similar problem , AWX frontend behind nginx sends to saml idp (adfs) http://awx.somedomain.foo/sso/complete/saml instead of
https://awx.somedomain.foo/sso/complete/saml . I would be grateful if you share solution for solve this problem.

Topic		Replies	Views
Using AWS "ALB" to front end for AWX, difficulties with SAML AWX Project awx , aws	0	2	April 2, 2020
Authentication failed: SAML login failed AWX Project	3	1	July 29, 2019
ansible awx saml integration with azure AWX Project awx , kubernetes , azure	2	4	August 6, 2022
AWX Deployement behind nginx and SAML Get Help awx , collections , kubernetes , nginx	1	338	November 16, 2023
Debug SAML Auth on AWX Get Help awx , collections , rhel , kubernetes	3	508	July 11, 2024

SAML Auth from behind Apache Reverse Proxy

Related topics