mirror of
https://github.com/ansible/awx.git
synced 2026-05-09 10:27:37 -02:30
Re-do for PR #14595 to fix CI issues.
This commit is contained in:
Thanhnguyet Vo
@@ -55,6 +55,7 @@ To set up enterprise authentication for Microsoft Azure Active Directory (AD), y
|
||||
8. To verify that the authentication was configured correctly, logout of AWX and the login screen will now display the Microsoft Azure logo to allow logging in with those credentials.
|
||||
|
||||
.. image:: ../common/images/configure-awx-auth-azure-logo.png
|
||||
:alt: AWX login screen displaying the Microsoft Azure logo for authentication.
|
||||
|
||||
|
||||
For application registering basics in Azure AD, refer to the `Azure AD Identity Platform (v2)`_ overview.
|
||||
@@ -102,6 +103,7 @@ SAML settings
|
||||
SAML allows the exchange of authentication and authorization data between an Identity Provider (IdP - a system of servers that provide the Single Sign On service) and a Service Provider (in this case, AWX). AWX can be configured to talk with SAML in order to authenticate (create/login/logout) AWX users. User Team and Organization membership can be embedded in the SAML response to AWX.
|
||||
|
||||
.. image:: ../common/images/configure-awx-auth-saml-topology.png
|
||||
:alt: Diagram depicting SAML topology for AWX.
|
||||
|
||||
The following instructions describe AWX as the service provider.
|
||||
|
||||
@@ -122,6 +124,7 @@ To setup SAML authentication:
|
||||
In this example, the Service Provider is the AWX cluster, and therefore, the ID is set to the AWX Cluster FQDN.
|
||||
|
||||
.. image:: ../common/images/configure-awx-auth-saml-spentityid.png
|
||||
:alt: Configuring SAML Service Provider Entity ID in AWX.
|
||||
|
||||
5. Create a server certificate for the Ansible cluster. Typically when an Ansible cluster is configured, AWX nodes will be configured to handle HTTP traffic only and the load balancer will be an SSL Termination Point. In this case, an SSL certificate is required for the load balancer, and not for the individual AWX Cluster Nodes. SSL can either be enabled or disabled per individual AWX node, but should be disabled when using an SSL terminated load balancer. It is recommended to use a non-expiring self signed certificate to avoid periodically updating certificates. This way, authentication will not fail in case someone forgets to update the certificate.
|
||||
|
||||
@@ -132,6 +135,7 @@ In this example, the Service Provider is the AWX cluster, and therefore, the ID
|
||||
If you are using a CA bundle with your certificate, include the entire bundle in this field.
|
||||
|
||||
.. image:: ../common/images/configure-awx-auth-saml-cert.png
|
||||
:alt: Configuring SAML Service Provider Public Certificate in AWX.
|
||||
|
||||
As an example for public certs:
|
||||
|
||||
@@ -167,6 +171,7 @@ As an example for private keys:
|
||||
For example:
|
||||
|
||||
.. image:: ../common/images/configure-awx-auth-saml-org-info.png
|
||||
:alt: Configuring SAML Organization information in AWX.
|
||||
|
||||
.. note::
|
||||
These fields are required in order to properly configure SAML within AWX.
|
||||
@@ -183,6 +188,7 @@ For example:
|
||||
For example:
|
||||
|
||||
.. image:: ../common/images/configure-awx-auth-saml-techcontact-info.png
|
||||
:alt: Configuring SAML Technical Contact information in AWX.
|
||||
|
||||
9. Provide the IdP with the support contact information in the **SAML Service Provider Support Contact** field. Do not remove the contents of this field.
|
||||
|
||||
@@ -196,6 +202,7 @@ For example:
|
||||
For example:
|
||||
|
||||
.. image:: ../common/images/configure-awx-auth-saml-suppcontact-info.png
|
||||
:alt: Configuring SAML Support Contact information in AWX.
|
||||
|
||||
10. In the **SAML Enabled Identity Providers** field, provide information on how to connect to each Identity Provider listed. AWX expects the following SAML attributes in the example below:
|
||||
|
||||
@@ -238,6 +245,7 @@ Configure the required keys for each IDp:
|
||||
}
|
||||
|
||||
.. image:: ../common/images/configure-awx-auth-saml-idps.png
|
||||
:alt: Configuring SAML Identity Providers (IdPs) in AWX.
|
||||
|
||||
.. warning::
|
||||
|
||||
@@ -249,6 +257,7 @@ Configure the required keys for each IDp:
|
||||
The IdP provides the email, last name and firstname using the well known SAML urn. The IdP uses a custom SAML attribute to identify a user, which is an attribute that AWX is unable to read. Instead, AWX can understand the unique identifier name, which is the URN. Use the URN listed in the SAML “Name” attribute for the user attributes as shown in the example below.
|
||||
|
||||
.. image:: ../common/images/configure-awx-auth-saml-idps-urn.png
|
||||
:alt: Configuring SAML Identity Providers (IdPs) in AWX using URNs.
|
||||
|
||||
11. Optionally provide the **SAML Organization Map**. For further detail, see :ref:`ag_org_team_maps`.
|
||||
|
||||
@@ -479,6 +488,7 @@ Example::
|
||||
Alternatively, logout of AWX and the login screen will now display the SAML logo to indicate it as a alternate method of logging into AWX.
|
||||
|
||||
.. image:: ../common/images/configure-awx-auth-saml-logo.png
|
||||
:alt: AWX login screen displaying the SAML logo for authentication.
|
||||
|
||||
|
||||
Transparent SAML Logins
|
||||
@@ -495,6 +505,7 @@ For transparent logins to work, you must first get IdP-initiated logins to work.
|
||||
2. Once this is working, specify the redirect URL for non-logged-in users to somewhere other than the default AWX login page by using the **Login redirect override URL** field in the Miscellaneous Authentication settings window of the **Settings** menu, accessible from the left navigation bar. This should be set to ``/sso/login/saml/?idp=<name-of-your-idp>`` for transparent SAML login, as shown in the example.
|
||||
|
||||
.. image:: ../common/images/configure-awx-system-login-redirect-url.png
|
||||
:alt: Configuring the login redirect URL in AWX Miscellaneous Authentication Settings.
|
||||
|
||||
.. note::
|
||||
|
||||
@@ -537,6 +548,7 @@ Terminal Access Controller Access-Control System Plus (TACACS+) is a protocol th
|
||||
- **TACACS+ Authentication Protocol**: The protocol used by TACACS+ client. Options are **ascii** or **pap**.
|
||||
|
||||
.. image:: ../common/images/configure-awx-auth-tacacs.png
|
||||
:alt: TACACS+ configuration details in AWX settings.
|
||||
|
||||
4. Click **Save** when done.
|
||||
|
||||
@@ -563,6 +575,7 @@ To configure OIDC in AWX:
|
||||
The example below shows specific values associated to GitHub as the generic IdP:
|
||||
|
||||
.. image:: ../common/images/configure-awx-auth-oidc.png
|
||||
:alt: OpenID Connect (OIDC) configuration details in AWX settings.
|
||||
|
||||
4. Click **Save** when done.
|
||||
|
||||
@@ -574,4 +587,4 @@ The example below shows specific values associated to GitHub as the generic IdP:
|
||||
5. To verify that the authentication was configured correctly, logout of AWX and the login screen will now display the OIDC logo to indicate it as a alternate method of logging into AWX.
|
||||
|
||||
.. image:: ../common/images/configure-awx-auth-oidc-logo.png
|
||||
|
||||
:alt: AWX login screen displaying the OpenID Connect (OIDC) logo for authentication.
|
||||
|
||||
Reference in New Issue
Block a user