SAML integration

Archives AWX Project
1

Hi!

I am trying to integrate AWX with my company’s IdP using SAML. I have been able to get basic SAML authentication working, with users successfully authenticating. However I’m struggling to get team mapping and superuser attribute mapping working. Currently all users that successfully authenticate have no team mappings.

I have configured the IdP to send an attribute called “groups” in the SAML assertion, which I believe should contain the list of groups. I have set the value of “SOCIAL_AUTH_SAML_TEAM_ATTR” and “SOCIAL_AUTH_SAML_USER_FLAGS_BY_ATTR” as below.

    "SOCIAL_AUTH_SAML_TEAM_ATTR": {
        "remove": false,
        "team_org_map": [
            {
                "team_alias": "<Team in AWX>",
                "team": "<group ID in IdP>",
                "organization": "<Org created in AWX>"
            }
        ],
        "saml_attr": "groups"
    },
    "SOCIAL_AUTH_SAML_USER_FLAGS_BY_ATTR": {
        "is_superuser_attr": "groups",
        "is_superuser_value": [
            "<group ID in IdP>"
        ]
    }

Is there a way to see on AWX the list of assertions that it receives in the SAML response from the IdP? Can I set something in “SOCIAL_AUTH_SAML_SP_EXTRA” (currently empty) to do this?

I tried setting “SOCIAL_AUTH_SAML_SP_EXTRA” as below, but I couldn’t see any additional logging.

    "SOCIAL_AUTH_SAML_SP_EXTRA": {
        "debug": true
    },

Cheers

Rod

2

I should have added that I am running AWX 22.2.0 on Kubernetes, deployed with by the AWX Operator 2.1.0 using the AWX and AWX images from quay.io.

Is there an option that I can set via AWX API to enrich SAML debug logging or would this require customising the Python code relating to the “python-saml” library?

3

I solved my issue. The IdP was not passing a UUID for the group, but rather the name. I could see the list of assertions in the browser by following the sense of directions in https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_saml_view-saml-response.html.