Hi,
I’m currently using AWX 1.0.4.130 and I’m trying to implement SAML with it. I’ve configured the IDP as simple as it can be with the metadata from google
SAML Enabled IDP:
`
{
“google”: {
“url”: “https://accounts.google.com/o/saml2/idp?idpid=xxxxx”,
“entity_id”: “https://accounts.google.com/o/saml2?idpid=xxxxx”,
“x509cert”: “”
}
}
`
I did not add any additional mappings or attributes as I’m testing this out. However, when I try to login, I’m getting this error:
`
Authentication failed: SAML login failed: [‘invalid_response’] (There is no AttributeStatement on the Response).
`
Any pointers as to what I am missing?
https://gist.github.com/chrismeyersfsu/3c34413be80339fa8c96e4f2c2e18d6f example saml transaction. Notice the AttributeStatement section in the second gist file.
I used a chrome saml extension to capture this transaction.
Hey Chris,
Thanks for the sample gist. I looked at my output and I do not see the AttributeStatement section. In which field did you add it in the SAML configuration on AWX? I’ve tried extending the SAML Enabled IDP field to
`
{
“google”: {
“url”: “https://accounts.google.com/o/saml2/idp?idpid=xxxxx”,
“entity_id”: “https://accounts.google.com/o/saml2?idpid=xxxx”,
“x509cert”: “”,
“attr_user_permanent_id”: “name_id”,
“attr_first_name”: “User.FirstName”,
“attr_last_name”: “User.LastName”,
“attr_username”: “User.email”,
“attr_email”: “User.email”
}
}
`
The second payload, with the AttributeStatement, comes from your idp (gsuite). Setting the attributes in awx just instructs awx on what to look for in the payload. It will not influence what’s in the payload.
On a deeper dive, I noticed this in my POST request
`
saml2:Subject
<saml2:NameID
Format=“urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified”>user@example.com
</saml2:NameID>
`
The format is set as unspecified instead of emailAddress.
Choon,
That may or may not matter. Given the error message I would concentrate on the AttributeStatement section.