SAML Error CSRF Verification Failed. Request aborted.

I setup SAML with Okta

I’ve followed this
https://www.ansible.com/blog/using-saml-with-red-hat-ansible-tower

tower_URL_base is set, everything is set so backend enables.

The SAML link on login page does the dance to Okta comes back and AWX reports:

CSRF Verification Failed. Request aborted.

then
More information is available with DEBUG=True

Not sure what else to check here. I have turned the logs up to Debug. Where should I even be able to see this verbose output? what is this CSRF verification?

CSRF is Cross Site Request Forgery at a very high level when you hit AWX for the first time in a browser you get a CSRF cookie and that cookie is used in combination with your session to ensure someone does not try and interject you into the application in a weird way.

Can you look at the login page with a fresh session and look at the first call to api/ and validate that the response includes a Set-Cookie like:

Set-Cookie:
csrftoken=kSOU2LN8JAHQ76z85zgQ25fdCLcDNwr7yWYAyNFdPwEcrGspxIvQ1POzRfRcdAO6; Path=/; SameSite=Lax

And then validate that when you get back from Okta you have the same token?

If logs are set to debug you should see information when AWX is processing the SAML assertion in the AWX logs but I think invalid CSRF will knock you out before that process happens.

-The AWX Team

I’m using helm chart deploy of awx-operator with nginx lb. Is there some reason that would cause this?

OID doesn’t have an issue, but I can’t really do the group mappings I need in there from what I can see.

also i set logging to Debug in the GUI but the logs showing on the container don’t seem any different. Is there some other way I need to turn that on?

Hello,
We have a follow-up question regarding the manner in which you are conducting your ngnix load balancing. Do you have more than one AWX web node behind the load balancer or is it just a front end for a single instance?

When Okta is redirecting you back to AWX are you hitting a load balancer or the node directly?

The DEBUG=True is a development setting and not something we would suggest turning on in production. If you are not running this in a production environment, or if you have a sandbox/testing environment, please let us know and we can further assist you with the steps to enable debugging.

-AWX Team

I’m using node port ingress. I have only 1 awx web node. The ingress is what sets up a trusted certificate and registers DNS.

apiVersion: v1

kind: Service

metadata:

labels:

app: awx-demo

name: awx-demo

namespace: awx-test

spec:

type: NodePort

ports:

  • name: http

port: 80

targetPort: 30080

selector:

app: awx-demo-service

I added:

csrf_cookie_secureL ‘False’

but doesn’t seem like the setting is being applied even though I see it in the last-applied-configuration

still failing with csrf_cookie_secure: ‘False’

per documentation …

how do I get this working?