353 lines
14 KiB
HTML
353 lines
14 KiB
HTML
<!DOCTYPE html>
|
|
<html lang="en" dir="ltr">
|
|
<head>
|
|
<meta charset="utf-8" />
|
|
<title>documentation:2.0:applications:awx</title>
|
|
<meta name="generator" content="DokuWiki"/>
|
|
<meta name="robots" content="index,follow"/>
|
|
<meta name="keywords" content="documentation,2.0,applications,awx"/>
|
|
<link rel="search" type="application/opensearchdescription+xml" href="../lib/exe/opensearch.html" title="LemonLDAP::NG"/>
|
|
<link rel="start" href="awx.html"/>
|
|
<link rel="contents" href="awx.html" title="Sitemap"/>
|
|
<link rel="stylesheet" type="text/css" href="../lib/exe/css.php.t.bootstrap3.css"/>
|
|
<!-- //if:usedebianlibs
|
|
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
|
|
//elsif:useexternallibs
|
|
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
|
|
//elsif:cssminified
|
|
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
|
|
//else -->
|
|
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
|
|
<!-- //endif -->
|
|
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0:applications';var JSINFO = {"id":"documentation:2.0:applications:awx","namespace":"documentation:2.0:applications"};
|
|
/*!]]>*/</script>
|
|
<script type="text/javascript" charset="utf-8" src="../lib/exe/js.php.t.bootstrap3.js"></script>
|
|
<!-- //if:usedebianlibs
|
|
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
|
|
//elsif:useexternallibs
|
|
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
|
|
//elsif:jsminified
|
|
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
|
|
//else -->
|
|
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
|
|
<!-- //endif -->
|
|
<!-- //if:usedebianlibs
|
|
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
|
|
//elsif:useexternallibs
|
|
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
|
|
//elsif:jsminified
|
|
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
|
|
//else -->
|
|
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
|
|
<!-- //endif -->
|
|
</head>
|
|
<body>
|
|
<div class="dokuwiki export container">
|
|
<!-- TOC START -->
|
|
<div id="dw__toc">
|
|
<h3 class="toggle">Table of Contents</h3>
|
|
<div>
|
|
|
|
<ul class="toc">
|
|
<li class="level1"><div class="li"><a href="#presentation">Presentation</a></div></li>
|
|
<li class="level1"><div class="li"><a href="#configuration">Configuration</a></div>
|
|
<ul class="toc">
|
|
<li class="level2"><div class="li"><a href="#awx_saml_key_certificate">AWX SAML Key & Certificate</a></div></li>
|
|
<li class="level2"><div class="li"><a href="#llng_saml_certificate">LLNG SAML Certificate</a></div>
|
|
<ul class="toc">
|
|
<li class="level3"><div class="li"><a href="#generate_certificate_from_key">Generate Certificate from Key</a></div></li>
|
|
</ul>
|
|
</li>
|
|
<li class="level2"><div class="li"><a href="#awx">AWX</a></div>
|
|
<ul class="toc">
|
|
<li class="level3"><div class="li"><a href="#saml_service_provider_entity_id">SAML Service Provider Entity ID</a></div></li>
|
|
<li class="level3"><div class="li"><a href="#saml_service_provider_public_certificate">SAML Service Provider Public Certificate</a></div></li>
|
|
<li class="level3"><div class="li"><a href="#saml_service_provider_private_key">SAML Service Provider Private Key</a></div></li>
|
|
<li class="level3"><div class="li"><a href="#saml_service_provider_organization_info">SAML Service Provider Organization Info</a></div></li>
|
|
<li class="level3"><div class="li"><a href="#saml_service_provider_technical_contact">SAML Service Provider Technical Contact</a></div></li>
|
|
<li class="level3"><div class="li"><a href="#saml_service_provider_support_contact">SAML Service Provider Support Contact</a></div></li>
|
|
<li class="level3"><div class="li"><a href="#saml_enabled_identity_providers">SAML Enabled Identity Providers</a></div></li>
|
|
</ul>
|
|
</li>
|
|
<li class="level2"><div class="li"><a href="#lemonldapng">LemonLDAP:NG</a></div></li>
|
|
</ul></li>
|
|
</ul>
|
|
</div>
|
|
</div>
|
|
<!-- TOC END -->
|
|
|
|
<h1 class="sectionedit1" id="awx_ansible_tower">AWX (Ansible Tower)</h1>
|
|
<div class="level1">
|
|
|
|
<p>
|
|
<img src="logo-awx.png" class="mediacenter" alt="" />
|
|
<img src="logo-ansibletower.png" class="mediacenter" alt="" />
|
|
</p>
|
|
|
|
</div>
|
|
<!-- EDIT1 SECTION "AWX (Ansible Tower)" [1-127] -->
|
|
<h2 class="sectionedit2" id="presentation">Presentation</h2>
|
|
<div class="level2">
|
|
|
|
<p>
|
|
<a href="https://github.com/ansible/awx" class="urlextern" title="https://github.com/ansible/awx" rel="nofollow">AWX</a> is the upstream version for Ansible Tower.
|
|
</p>
|
|
|
|
<p>
|
|
This documentation explains how to interconnect LemonLDAP::NG and AWX using <abbr title="Security Assertion Markup Language">SAML</abbr> 2.0 protocol.
|
|
</p>
|
|
|
|
<p>
|
|
You can find the Official AWX documentation about this topic here : <a href="https://docs.ansible.com/ansible-tower/latest/html/administration/ent_auth.html#saml-authentication-settings" class="urlextern" title="https://docs.ansible.com/ansible-tower/latest/html/administration/ent_auth.html#saml-authentication-settings" rel="nofollow">https://docs.ansible.com/ansible-tower/latest/html/administration/ent_auth.html#saml-authentication-settings</a> Please read it before the LLNG doc.
|
|
</p>
|
|
|
|
</div>
|
|
<!-- EDIT2 SECTION "Presentation" [128-546] -->
|
|
<h2 class="sectionedit3" id="configuration">Configuration</h2>
|
|
<div class="level2">
|
|
|
|
<p>
|
|
This page assumes you already have configured the <abbr title="Security Assertion Markup Language">SAML</abbr> Service in LemonLDAP::NG, if not please follow : <a href="../documentation/latest/samlservice.html" class="wikilink1" title="documentation:latest:samlservice">SAML service configuration</a>
|
|
</p>
|
|
|
|
</div>
|
|
<!-- EDIT3 SECTION "Configuration" [547-742] -->
|
|
<h3 class="sectionedit4" id="awx_saml_key_certificate">AWX SAML Key & Certificate</h3>
|
|
<div class="level3">
|
|
|
|
<p>
|
|
You'll need a private key and the corresponding certificate to setup saml in AWX, you can do it with your pki or with openssl on your machine :
|
|
</p>
|
|
<pre class="code">openssl req -x509 -newkey rsa:4096 -keyout saml-awx.key -out saml-awx.crt -days 3650 -nodes</pre>
|
|
|
|
</div>
|
|
<!-- EDIT4 SECTION "AWX SAML Key & Certificate" [743-1033] -->
|
|
<h3 class="sectionedit5" id="llng_saml_certificate">LLNG SAML Certificate</h3>
|
|
<div class="level3">
|
|
|
|
<p>
|
|
AWX need a certificate for the IDP signature, a public key won't work. You can either just generate a certificate from the private key and put it in AWX conf, or you can do it globally.
|
|
</p>
|
|
|
|
</div>
|
|
|
|
<h4 id="generate_certificate_from_key">Generate Certificate from Key</h4>
|
|
<div class="level4">
|
|
|
|
<p>
|
|
You can find your private key in : SAML2 Service -> Security Parameters -> Signature -> Private Key
|
|
</p>
|
|
|
|
<p>
|
|
Copy it somewhere secure as lemonldap.key, and then generate the certificate with this command :
|
|
</p>
|
|
<pre class="code">openssl req -new -x509 -days 3650 -key lemonldap.key > lemonldap.crt</pre>
|
|
|
|
<p>
|
|
After that, if you want, you can replace your <abbr title="Security Assertion Markup Language">SAML</abbr> public key with this certificate in LLNG configuration, this is not mandatory.
|
|
</p>
|
|
|
|
</div>
|
|
<!-- EDIT5 SECTION "LLNG SAML Certificate" [1034-1707] -->
|
|
<h3 class="sectionedit6" id="awx">AWX</h3>
|
|
<div class="level3">
|
|
|
|
<p>
|
|
You'll need an administrator account, then go to Settings -> Authentication -> <abbr title="Security Assertion Markup Language">SAML</abbr>
|
|
</p>
|
|
|
|
<p>
|
|
<img src="saml-awx.png" class="mediacenter" alt="" />
|
|
</p>
|
|
|
|
<p>
|
|
There is a few settings :
|
|
</p>
|
|
|
|
</div>
|
|
|
|
<h4 id="saml_service_provider_entity_id">SAML Service Provider Entity ID</h4>
|
|
<div class="level4">
|
|
|
|
<p>
|
|
This is the entityID for awx, lets put the fqdn :
|
|
</p>
|
|
<pre class="code">awx.example.com</pre>
|
|
|
|
</div>
|
|
|
|
<h4 id="saml_service_provider_public_certificate">SAML Service Provider Public Certificate</h4>
|
|
<div class="level4">
|
|
|
|
<p>
|
|
Put the content of <code>saml-awx.crt</code> :
|
|
</p>
|
|
<pre class="code">-----BEGIN CERTIFICATE-----
|
|
cert
|
|
-----END CERTIFICATE-----</pre>
|
|
|
|
</div>
|
|
|
|
<h4 id="saml_service_provider_private_key">SAML Service Provider Private Key</h4>
|
|
<div class="level4">
|
|
|
|
<p>
|
|
Put the content of <code>saml-awx.key</code> :
|
|
</p>
|
|
<pre class="code">-----BEGIN RSA PRIVATE KEY-----
|
|
key
|
|
-----END RSA PRIVATE KEY-----</pre>
|
|
|
|
<p>
|
|
It will be replaced with
|
|
</p>
|
|
<pre class="code">$encrypted$</pre>
|
|
|
|
<p>
|
|
after you save the settings.
|
|
</p>
|
|
|
|
</div>
|
|
|
|
<h4 id="saml_service_provider_organization_info">SAML Service Provider Organization Info</h4>
|
|
<div class="level4">
|
|
|
|
<p>
|
|
Organization Info for The SP, this is purely "for looks"
|
|
</p>
|
|
<pre class="code">{
|
|
"en-US": {
|
|
"displayname": "AWX ACME",
|
|
"url": "https://awx.example.com",
|
|
"name": "awxacme"
|
|
}
|
|
}</pre>
|
|
|
|
</div>
|
|
|
|
<h4 id="saml_service_provider_technical_contact">SAML Service Provider Technical Contact</h4>
|
|
<div class="level4">
|
|
|
|
<p>
|
|
Technical Contact for the SP
|
|
</p>
|
|
<pre class="code">{
|
|
"emailAddress": "support@example.com",
|
|
"givenName": "Support ACME"
|
|
}</pre>
|
|
|
|
</div>
|
|
|
|
<h4 id="saml_service_provider_support_contact">SAML Service Provider Support Contact</h4>
|
|
<div class="level4">
|
|
|
|
<p>
|
|
Support Contact for the SP
|
|
</p>
|
|
<pre class="code">{
|
|
"emailAddress": "support@example.com",
|
|
"givenName": "Support ACME"
|
|
}</pre>
|
|
|
|
</div>
|
|
|
|
<h4 id="saml_enabled_identity_providers">SAML Enabled Identity Providers</h4>
|
|
<div class="level4">
|
|
|
|
<p>
|
|
This is the configuration of the IdP :
|
|
</p>
|
|
<pre class="code">{
|
|
"lemonldap": {
|
|
"attr_last_name": "sn",
|
|
"x509cert": "SOXGp.....",
|
|
"attr_username": "uid",
|
|
"entity_id": "https://auth.example.com/saml/metadata",
|
|
"attr_first_name": "givenName",
|
|
"attr_email": "mail",
|
|
"attr_user_permanent_id": "uid",
|
|
"url": "https://auth.example.com/saml/singleSignOn"
|
|
}
|
|
}</pre>
|
|
<ul>
|
|
<li class="level1"><div class="li"> "attr_last_name": "sn" <abbr title="Security Assertion Markup Language">SAML</abbr> Attribute for the user last name</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> "x509cert": "SOXGp....." the content of <code>lemonldap.crt</code> generated in the "LLNG <abbr title="Security Assertion Markup Language">SAML</abbr> Certificate" section</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> "attr_username": "uid" <abbr title="Security Assertion Markup Language">SAML</abbr> Attribute for the user username</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> "entity_id": "<a href="https://auth.example.com/saml/metadata" class="urlextern" title="https://auth.example.com/saml/metadata" rel="nofollow">https://auth.example.com/saml/metadata</a>" entityID of the IdP</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> "attr_first_name": "givenName" <abbr title="Security Assertion Markup Language">SAML</abbr> Attribute for the user first name</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> "attr_email": "mail" <abbr title="Security Assertion Markup Language">SAML</abbr> Attribute user for the user email</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> "attr_user_permanent_id": "uid" <abbr title="Security Assertion Markup Language">SAML</abbr> Attribute for the user unique id inside AWX</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> "url": "<a href="https://auth.example.com/saml/singleSignOn" class="urlextern" title="https://auth.example.com/saml/singleSignOn" rel="nofollow">https://auth.example.com/saml/singleSignOn</a>" <abbr title="Security Assertion Markup Language">SAML</abbr> <abbr title="Single Sign On">SSO</abbr> Url</div>
|
|
</li>
|
|
</ul>
|
|
|
|
<p>
|
|
Save your configuration.
|
|
</p>
|
|
|
|
</div>
|
|
<!-- EDIT6 SECTION "AWX" [1708-3983] -->
|
|
<h3 class="sectionedit7" id="lemonldapng">LemonLDAP:NG</h3>
|
|
<div class="level3">
|
|
|
|
<p>
|
|
We now have to define a service provider in LL:NG.
|
|
</p>
|
|
|
|
<p>
|
|
Go to "<abbr title="Security Assertion Markup Language">SAML</abbr> service providers", click on "Add <abbr title="Security Assertion Markup Language">SAML</abbr> SP" and name it as you want (example : 'AWX')
|
|
</p>
|
|
|
|
<p>
|
|
In the new subtree 'AWX', open 'Metadata' and paste the content of the AWX Metadatas, wich can be found at the
|
|
</p>
|
|
<pre class="code">SAML Service Provider Metadata URL</pre>
|
|
|
|
<p>
|
|
in AWX : <a href="https://awx.example.com/sso/metadata/saml/" class="urlextern" title="https://awx.example.com/sso/metadata/saml/" rel="nofollow">https://awx.example.com/sso/metadata/saml/</a>
|
|
</p>
|
|
|
|
<p>
|
|
<img src="awx-metadata.png" class="mediacenter" alt="" />
|
|
</p>
|
|
|
|
<p>
|
|
Now go in "Exported attributes" and add, the 'uid', 'sn', 'givenName', 'mail'.
|
|
</p>
|
|
|
|
<p>
|
|
All four attributes are mandatory for AWX. Make sure they match the names of the attributes available in your LemonLDAP sessions.
|
|
</p>
|
|
|
|
<p>
|
|
<img src="awx-attr.png" class="mediacenter" alt="" />
|
|
</p>
|
|
|
|
<p>
|
|
Don't forget to save your configuration.
|
|
</p>
|
|
|
|
<p>
|
|
You are now good to go, and you can add the application in <a href="../portalmenu.html" class="wikilink1" title="documentation:2.0:portalmenu">your menu</a> and <a href="../configvhost.html#lemonldapng_configuration" class="wikilink1" title="documentation:2.0:configvhost">your virtual hosts</a>.
|
|
</p>
|
|
|
|
<p>
|
|
You should now have a <abbr title="Security Assertion Markup Language">SAML</abbr> button on the login page :
|
|
</p>
|
|
|
|
<p>
|
|
<img src="awx-saml-login.png" class="mediacenter" alt="" />
|
|
</p>
|
|
|
|
</div>
|
|
<!-- EDIT7 SECTION "LemonLDAP:NG" [3984-] --></div>
|
|
</body>
|
|
</html>
|