SAML on Azure AD and accounts creation problem

Archives AWX Project
,
1

Hello,

I’m currently connecting AWX to Azure AD with SAML to authenticate the users.
The authentication works properly, but not the automatic user creation.
If the user is not present in AWX, I got this error message:
ERROR […] social An account cannot be found for azure:

In the documentation there is references to automatic account creation. Did I miss something or it’s a bug/misconfiguration ?

The Organisation creation at login is working though.

Thanks

2

A new social account should be created after logging in. It sounds like you may have some configuration issues going on

if you enable debug logs, you should see more relevant information in the awx-web container logs after attempting to log in. If you paste logs here we may be able to help further

AWX Team

3

Even in debug, I don’t see anything interesting

2022-12-01 09:16:04,360 DEBUG [7b2d8852f9df4ae39712a092ddedb624] awx.analytics.performance request: <WSGIRequest: GET ‘/sso/login/saml/?idp=azure’>, response_time: 0.104s
127.0.0.1 - - [01/Dec/2022:09:16:04 +0000] “GET /sso/login/saml/?idp=azure HTTP/1.1” 302 0 “http://localhost:8080/” “Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0” “-”
[pid: 32|app: 0|req: 99/254] 127.0.0.1 () {58 vars in 1020 bytes} [Thu Dec 1 09:16:04 2022] GET /sso/login/saml/?idp=azure => generated 0 bytes in 108 msecs (HTTP/1.1 302) 12 headers in 1360 bytes (1 switches on core 0)
2022-12-01 09:16:05,125 ERROR [34fc976335f94f28808337c9ffd875ed] social An account cannot be found for .
2022-12-01 09:16:05,135 DEBUG [34fc976335f94f28808337c9ffd875ed] awx.analytics.performance request: <WSGIRequest: POST ‘/sso/complete/saml/’>, response_time: 0.089s
127.0.0.1 - - [01/Dec/2022:09:16:05 +0000] “POST /sso/complete/saml/ HTTP/1.1” 302 0 “-” “Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0” “-”
[pid: 33|app: 0|req: 45/255] 127.0.0.1 () {58 vars in 944 bytes} [Thu Dec 1 09:16:05 2022] POST /sso/complete/saml/ => generated 0 bytes in 92 msecs (HTTP/1.1 302) 10 headers in 461 bytes (1 switches on core 0)
2022-12-01 09:16:05,257 DEBUG [dae667e54c844ded9b787d64c7068c44] awx.analytics.performance request: <WSGIRequest: GET ‘/sso/error/’>, response_time: 0.057s
[pid: 33|app: 0|req: 46/256] 127.0.0.1 () {54 vars in 927 bytes} [Thu Dec 1 09:16:05 2022] GET /sso/error/ => generated 0 bytes in 60 msecs (HTTP/1.1 301) 10 headers in 463 bytes (1 switches on core 0)
127.0.0.1 - - [01/Dec/2022:09:16:05 +0000] “GET /sso/error/ HTTP/1.1” 301 0 “-” “Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0” “-”
2022-12-01 09:16:05,375 DEBUG [05bbf9a4f1a849b8a91b16c7f79a10a9] awx.analytics.performance request: <WSGIRequest: GET ‘/’>, response_time: 0.078s
127.0.0.1 - - [01/Dec/2022:09:16:05 +0000] “GET / HTTP/1.1” 200 1044 “-” “Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0” “-”
[pid: 32|app: 0|req: 100/257] 127.0.0.1 () {52 vars in 907 bytes} [Thu Dec 1 09:16:05 2022] GET / => generated 1044 bytes in 82 msecs (HTTP/1.1 200) 9 headers in 438 bytes (1 switches on core 0)
2022-12-01 09:16:06,388 DEBUG [efd3fe35ee734f6fa5698b61a366f9d4] awx.analytics.performance request: <WSGIRequest: GET ‘/api/’>, response_time: 0.072s
[pid: 29|app: 0|req: 73/258] 127.0.0.1 () {56 vars in 944 bytes} [Thu Dec 1 09:16:06 2022] GET /api/ => generated 3476 bytes in 75 msecs (HTTP/1.1 200) 15 headers in 686 bytes (1 switches on core 0)
127.0.0.1 - - [01/Dec/2022:09:16:06 +0000] “GET /api/ HTTP/1.1” 200 3476 “http://localhost:8080/” “Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0” “-”
2022-12-01 09:16:06,760 DEBUG [52959e5771b54ba59f3498bdc20600a0] awx.analytics.performance request: <WSGIRequest: GET ‘/api/v2/auth/’>, response_time: 0.073s
127.0.0.1 - - [01/Dec/2022:09:16:06 +0000] “GET /api/v2/auth/ HTTP/1.1” 200 152 “http://localhost:8080/” “Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0” “-”
[pid: 32|app: 0|req: 101/259] 127.0.0.1 () {56 vars in 960 bytes} [Thu Dec 1 09:16:06 2022] GET /api/v2/auth/ => generated 152 bytes in 77 msecs (HTTP/1.1 200) 14 headers in 574 bytes (1 switches on core 0)
2022-12-01 09:16:06,769 DEBUG [0fd5242dcb644de6882462875a6ccf05] awx.analytics.performance request: <WSGIRequest: GET ‘/api/’>, response_time: 0.081s
127.0.0.1 - - [01/Dec/2022:09:16:06 +0000] “GET /api/ HTTP/1.1” 200 3476 “http://localhost:8080/” “Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0” “-”
[pid: 30|app: 0|req: 16/260] 127.0.0.1 () {56 vars in 944 bytes} [Thu Dec 1 09:16:06 2022] GET /api/ => generated 3476 bytes in 84 msecs (HTTP/1.1 200) 15 headers in 686 bytes (1 switches on core 0)

A few precisions: AWX is running in version 21.9.0 , and the URL is localhost because I’m working on a test server, but the problem is the same on a production server with a regular domain.

4

I see this line

2022-12-01 09:16:05,125 ERROR [34fc976335f94f28808337c9ffd875ed] social An account cannot be found for .

did you redact the original, or is “” in the logs?

AWX Team

5

Yes, it is redacted, in the logs there is the correct email address

6

Could you please provide the SAML settings via /api/v2/settings/saml.

Can you also get the SAML payload that is coming back to AWX from Azure? This can usually be accomplished with a browser plugin such as https://chrome.google.com/webstore/detail/saml-chrome-panel/paijfdbeoenhembfhkhllainmocckace?hl=en

-The AWX Team

7

The SAML settings is in AWX-api-saml.txt and the SAML payload is in AWX-saml-response.txt

In both these files the redacted parts (certificates and URLs) are marked “redacted”

A few precision, the X509 matches between the settings and response. In the SAML payload, the destination is indeed “http://localhost:8080/sso”, I’m using a port forward to connect to my AWX test server. This URL is also declared in the SAML SSO configuration, and since the authentication works for existing account, it should not be the cause of the problem.

This server is in version 21.9.0, but I also have the problem in AWX version 19.2.2

(attachments)

AWX-api-saml.txt (2.67 KB)
AWX-saml-response.txt (4.7 KB)

8

Hi,

The saml configuration looks correct as far as we can tell. It still isn’t clear why the system isn’t creating a new social auth account after getting this SAML response back.

Can you confirm that /api/v2/users/?username=yourusername does not return anything for the user that didn’t get created?

AWX Team

9

Hi,

The call to /api/v2/users/?username=testuser does not return anything. testuser is the username of the user that didn’t get created

This is the result:

GET /api/v2/users/?username=testuser
HTTP 200 OK

Allow: GET, POST, HEAD, OPTIONS

Content-Type: application/json

Vary: Accept

X-API-Node: awx-123abc

X-API-Product-Name: AWX

X-API-Product-Version: 21.9.0

X-API-Time: 0.006s

{

“count”: 0,

“next”: null,
“previous”: null,

“results”:

}

And if try with an already existing user, I got the expected result, the user infos in results.