e25d03d8f4
* managed: add base manager and Ops * core: use ManagedModel for Token and PropertyMapping * providers/saml: implement managed objects for SAML Provider * sources/ldap: migrate to managed * providers/oauth2: migrate to managed * providers/proxy: migrate to managed * *: load .managed in apps * managed: add reconcile task, run on startup * providers/oauth2: fix import path for managed * providers/saml: don't set FriendlyName when mapping is none * *: use ObjectManager in tests to ensure objects exist * ci: use vmImage ubuntu-latest * providers/saml: add new mapping for username and user id * tests: remove docker proxy * tests/e2e: use updated attribute names * docs: update SAML docs * tests/e2e: fix remaining saml cases * outposts: make tokens as managed * *: make PropertyMapping SerializerModel * web: add page for property-mappings * web: add codemirror to common_styles because codemirror * docs: fix member-of in nextcloud * docs: nextcloud add admin * web: fix refresh reloading data two times * web: add loading lock to table to prevent double loads * web: add ability to use null in QueryArgs (value will be skipped) * web: add hide option to property mappings * web: fix linting
80 lines
4.1 KiB
Markdown
80 lines
4.1 KiB
Markdown
---
|
||
title: Ansible Tower / AWX
|
||
---
|
||
|
||
## What is Tower
|
||
|
||
From https://docs.ansible.com/ansible/2.5/reference_appendices/tower.html
|
||
|
||
:::note
|
||
Ansible Tower (formerly ‘AWX’) is a web-based solution that makes Ansible even more easy to use for IT teams of all kinds. It’s designed to be the hub for all of your automation tasks.
|
||
|
||
Tower allows you to control access to who can access what, even allowing sharing of SSH credentials without someone being able to transfer those credentials. Inventory can be graphically managed or synced with a wide variety of cloud sources. It logs all of your jobs, integrates well with LDAP, and has an amazing browsable REST API. Command line tools are available for easy integration with Jenkins as well. Provisioning callbacks provide great support for autoscaling topologies.
|
||
:::
|
||
|
||
:::note
|
||
AWX is the open-source version of Tower. The term "AWX" will be used interchangeably throughout this document.
|
||
:::
|
||
|
||
## Preparation
|
||
|
||
The following placeholders will be used:
|
||
|
||
- `awx.company` is the FQDN of the AWX/Tower install.
|
||
- `authentik.company` is the FQDN of the authentik install.
|
||
|
||
Create an application in authentik and note the slug, as this will be used later. Create a SAML provider with the following parameters:
|
||
|
||
- ACS URL: `https://awx.company/sso/complete/saml/`
|
||
- Audience: `awx`
|
||
- Service Provider Binding: Post
|
||
- Issuer: `https://awx.company/sso/metadata/saml/`
|
||
|
||
You can of course use a custom signing certificate, and adjust durations.
|
||
|
||
## AWX Configuration
|
||
|
||
Navigate to `https://awx.company/#/settings/auth` to configure SAML. Set the Field `SAML SERVICE PROVIDER ENTITY ID` to `awx`.
|
||
|
||
For the fields `SAML SERVICE PROVIDER PUBLIC CERTIFICATE` and `SAML SERVICE PROVIDER PRIVATE KEY`, you can either use custom certificates, or use the self-signed pair generated by authentik.
|
||
|
||
Provide metadata in the `SAML Service Provider Organization Info` field:
|
||
|
||
```json
|
||
{
|
||
"en-US": {
|
||
"name": "authentik",
|
||
"url": "https://authentik.company",
|
||
"displayname": "authentik"
|
||
}
|
||
}
|
||
```
|
||
|
||
Provide metadata in the `SAML Service Provider Technical Contact` and `SAML Service Provider Technical Contact` fields:
|
||
|
||
```json
|
||
{
|
||
"givenName": "Admin Name",
|
||
"emailAddress": "admin@company"
|
||
}
|
||
```
|
||
|
||
In the `SAML Enabled Identity Providers` paste the following configuration:
|
||
|
||
```json
|
||
{
|
||
"authentik": {
|
||
"attr_username": "http://schemas.goauthentik.io/2021/02/saml/username",
|
||
"attr_user_permanent_id": "http://schemas.goauthentik.io/2021/02/saml/uid",
|
||
"x509cert": "MIIDEjCCAfqgAwIBAgIRAJZ9pOZ1g0xjiHtQAAejsMEwDQYJKoZIhvcNAQELBQAwMDEuMCwGA1UEAwwlcGFzc2Jvb2sgU2VsZi1zaWduZWQgU0FNTCBDZXJ0aWZpY2F0ZTAeFw0xOTEyMjYyMDEwNDFaFw0yMDEyMjYyMDEwNDFaMFkxLjAsBgNVBAMMJXBhc3Nib29rIFNlbGYtc2lnbmVkIFNBTUwgQ2VydGlmaWNhdGUxETAPBgNVBAoMCHBhc3Nib29rMRQwEgYDVQQLDAtTZWxmLXNpZ25lZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO/ktBYZkY9xAijF4acvzX6Q1K8KoIZeyde8fVgcWBz4L5FgDQ4/dni4k2YAcPdwteGL4nKVzetUzjbRCBUNuO6lqU4J4WNNX4Xg4Ir7XLRoAQeo+omTPBdpJ1p02HjtN5jT01umN3bK2yto1e37CJhK6WJiaXqRewPxh4lI4aqdj3BhFkJ3I3r2qxaWOAXQ6X7fg3w/ny7QP53//ouZo7hSLY3GIcRKgvdjjVM3OW5C3WLpOq5Dez5GWVJ17aeFCfGQ8bwFKde6qfYqyGcU9xHB36TtVHB9hSFP/tUFhkiSOxtsrYwCgCyXm4UTSpP+wiNyjKfFw7qGLBvA2hGTNw8CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAh9PeAqPRQk1/SSygIFADZBi08O/DPCshFwEHvJATIcTzcDD8UGAjXh+H5OlkDyX7KyrcaNvYaafCUo63A+WprdtdY5Ty6SBEwTYyiQyQfwM9BfK+imCoif1Ai7xAelD7p9lNazWq7JU+H/Ep7U7Q7LvpxAbK0JArt+IWTb2NcMb3OWE1r0gFbs44O1l6W9UbJTbyLMzbGbe5i+NHlgnwPwuhtRMh0NUYabGHKcHbhwyFhfGAQv2dAp5KF1E5gu6ZzCiFePzc0FrqXQyb2zpFYcJHXquiqaOeG7cZxRHYcjrl10Vxzki64XVA9BpdELgKSnupDGUEJsRUt3WVOmvZuA==",
|
||
"url": "https://authentik.company/application/saml/awx/login/",
|
||
"attr_last_name": "User.LastName",
|
||
"entity_id": "https://awx.company/sso/metadata/saml/",
|
||
"attr_email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
|
||
"attr_first_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
|
||
}
|
||
}
|
||
```
|
||
|
||
`x509cert` is the certificate configured in authentik. Remove the `--BEGIN CERTIFICATE--` and `--END CERTIFICATE--` headers, then enter the cert as one non-breaking string.
|