has anyone configured AWX to use SAML auth with shibboleth?
SAML configuration screens in Tower do not map into the same realm as
some of the other apps I've configured to use with SAML in the past, nor
was I able to produce "clean" metadata that I can submit to IDP without
editing. Here's what I've figured (and done) so far:
and here's where I'm stuck with "The login service was unable to
identify a compatible way to respond to the requested application. This
is generally due to a misconfiguration on the part of the application
and should be reported to the application's support team or owner. "
which is me.... so what am I missing in this process?
has anyone configured AWX to use SAML auth with shibboleth?
SAML configuration screens in Tower do not map into the same realm as
some of the other apps I've configured to use with SAML in the past, nor
was I able to produce "clean" metadata that I can submit to IDP without
editing. Here's what I've figured (and done) so far:
Disclaimer: I got it working with Centrify IDP, so this is not based on Shib,
But, maybe the metadata ingest is not working correctly? Sounds like Shib does not know how to offload back to AWX.
I tried the metadata URL with Centrify and it failed. I didn’t bother looking at why it failed, and just entered the SP Configuration information in manually. All I ended up entering was the SP Entity ID (which I set as “tower” from within AWX, and set the ACS to what AWX said it was (“https://tower.domain/sso/complete/saml”). It worked after that (and after setting up my SAML response in the Centrify IDP of course).
Hope this helps, or points you in the right direction.
I may follow your footsteps and manually generate the metadata
altogether rather than editing it after AWX had a chance to generate it.
Which is sub-optimal as I need my team to be able to maintain this setup
and it's not as trivial as our typical shibboleth/mod_shib setups along
with simpleSAMLphp in it's current state (not to mention that it doesn't
work).