dani/lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
b855f175bc
lemonldap-ng/doc/pages/documentation/current/applications/awx.html
Clément OUDOT cf5e08e841 Update documentation
2020-05-05 15:40:05 +02:00

353 lines
14 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
<meta charset="utf-8" />
<title>documentation:2.0:applications:awx</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,applications,awx"/>
<link rel="search" type="application/opensearchdescription+xml" href="../lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="awx.html"/>
<link rel="contents" href="awx.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="../lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0:applications';var JSINFO = {"id":"documentation:2.0:applications:awx","namespace":"documentation:2.0:applications"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="../lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
<!-- //endif -->
</head>
<body>
<div class="dokuwiki export container">
<!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>
<ul class="toc">
<li class="level1"><div class="li"><a href="#presentation">Presentation</a></div></li>
<li class="level1"><div class="li"><a href="#configuration">Configuration</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#awx_saml_key_certificate">AWX SAML Key &amp; Certificate</a></div></li>
<li class="level2"><div class="li"><a href="#llng_saml_certificate">LLNG SAML Certificate</a></div>
<ul class="toc">
<li class="level3"><div class="li"><a href="#generate_certificate_from_key">Generate Certificate from Key</a></div></li>
</ul>
</li>
<li class="level2"><div class="li"><a href="#awx">AWX</a></div>
<ul class="toc">
<li class="level3"><div class="li"><a href="#saml_service_provider_entity_id">SAML Service Provider Entity ID</a></div></li>
<li class="level3"><div class="li"><a href="#saml_service_provider_public_certificate">SAML Service Provider Public Certificate</a></div></li>
<li class="level3"><div class="li"><a href="#saml_service_provider_private_key">SAML Service Provider Private Key</a></div></li>
<li class="level3"><div class="li"><a href="#saml_service_provider_organization_info">SAML Service Provider Organization Info</a></div></li>
<li class="level3"><div class="li"><a href="#saml_service_provider_technical_contact">SAML Service Provider Technical Contact</a></div></li>
<li class="level3"><div class="li"><a href="#saml_service_provider_support_contact">SAML Service Provider Support Contact</a></div></li>
<li class="level3"><div class="li"><a href="#saml_enabled_identity_providers">SAML Enabled Identity Providers</a></div></li>
</ul>
</li>
<li class="level2"><div class="li"><a href="#lemonldapng">LemonLDAP:NG</a></div></li>
</ul></li>
</ul>
</div>
</div>
<!-- TOC END -->
<h1 class="sectionedit1" id="awx_ansible_tower">AWX (Ansible Tower)</h1>
<div class="level1">
<p>
<img src="logo-awx.png" class="mediacenter" alt="" />
<img src="logo-ansibletower.png" class="mediacenter" alt="" />
</p>
</div>
<!-- EDIT1 SECTION "AWX (Ansible Tower)" [1-127] -->
<h2 class="sectionedit2" id="presentation">Presentation</h2>
<div class="level2">
<p>
<a href="https://github.com/ansible/awx" class="urlextern" title="https://github.com/ansible/awx" rel="nofollow">AWX</a> is the upstream version for Ansible Tower.
</p>
<p>
This documentation explains how to interconnect LemonLDAP::NG and AWX using <abbr title="Security Assertion Markup Language">SAML</abbr> 2.0 protocol.
</p>
<p>
You can find the Official AWX documentation about this topic here : <a href="https://docs.ansible.com/ansible-tower/latest/html/administration/ent_auth.html#saml-authentication-settings" class="urlextern" title="https://docs.ansible.com/ansible-tower/latest/html/administration/ent_auth.html#saml-authentication-settings" rel="nofollow">https://docs.ansible.com/ansible-tower/latest/html/administration/ent_auth.html#saml-authentication-settings</a> Please read it before the LLNG doc.
</p>
</div>
<!-- EDIT2 SECTION "Presentation" [128-546] -->
<h2 class="sectionedit3" id="configuration">Configuration</h2>
<div class="level2">
<p>
This page assumes you already have configured the <abbr title="Security Assertion Markup Language">SAML</abbr> Service in LemonLDAP::NG, if not please follow : <a href="../documentation/latest/samlservice.html" class="wikilink1" title="documentation:latest:samlservice">SAML service configuration</a>
</p>
</div>
<!-- EDIT3 SECTION "Configuration" [547-742] -->
<h3 class="sectionedit4" id="awx_saml_key_certificate">AWX SAML Key &amp; Certificate</h3>
<div class="level3">
<p>
You&#039;ll need a private key and the corresponding certificate to setup saml in AWX, you can do it with your pki or with openssl on your machine :
</p>
<pre class="code">openssl req -x509 -newkey rsa:4096 -keyout saml-awx.key -out saml-awx.crt -days 3650 -nodes</pre>
</div>
<!-- EDIT4 SECTION "AWX SAML Key & Certificate" [743-1033] -->
<h3 class="sectionedit5" id="llng_saml_certificate">LLNG SAML Certificate</h3>
<div class="level3">
<p>
AWX need a certificate for the IDP signature, a public key won&#039;t work. You can either just generate a certificate from the private key and put it in AWX conf, or you can do it globally.
</p>
</div>
<h4 id="generate_certificate_from_key">Generate Certificate from Key</h4>
<div class="level4">
<p>
You can find your private key in : SAML2 Service -&gt; Security Parameters -&gt; Signature -&gt; Private Key
</p>
<p>
Copy it somewhere secure as lemonldap.key, and then generate the certificate with this command :
</p>
<pre class="code">openssl req -new -x509 -days 3650 -key lemonldap.key &gt; lemonldap.crt</pre>
<p>
After that, if you want, you can replace your <abbr title="Security Assertion Markup Language">SAML</abbr> public key with this certificate in LLNG configuration, this is not mandatory.
</p>
</div>
<!-- EDIT5 SECTION "LLNG SAML Certificate" [1034-1707] -->
<h3 class="sectionedit6" id="awx">AWX</h3>
<div class="level3">
<p>
You&#039;ll need an administrator account, then go to Settings -&gt; Authentication -&gt; <abbr title="Security Assertion Markup Language">SAML</abbr>
</p>
<p>
<img src="saml-awx.png" class="mediacenter" alt="" />
</p>
<p>
There is a few settings :
</p>
</div>
<h4 id="saml_service_provider_entity_id">SAML Service Provider Entity ID</h4>
<div class="level4">
<p>
This is the entityID for awx, lets put the fqdn :
</p>
<pre class="code">awx.example.com</pre>
</div>
<h4 id="saml_service_provider_public_certificate">SAML Service Provider Public Certificate</h4>
<div class="level4">
<p>
Put the content of <code>saml-awx.crt</code> :
</p>
<pre class="code">-----BEGIN CERTIFICATE-----
cert
-----END CERTIFICATE-----</pre>
</div>
<h4 id="saml_service_provider_private_key">SAML Service Provider Private Key</h4>
<div class="level4">
<p>
Put the content of <code>saml-awx.key</code> :
</p>
<pre class="code">-----BEGIN RSA PRIVATE KEY-----
key
-----END RSA PRIVATE KEY-----</pre>
<p>
It will be replaced with
</p>
<pre class="code">$encrypted$</pre>
<p>
after you save the settings.
</p>
</div>
<h4 id="saml_service_provider_organization_info">SAML Service Provider Organization Info</h4>
<div class="level4">
<p>
Organization Info for The SP, this is purely &quot;for looks&quot;
</p>
<pre class="code">{
&quot;en-US&quot;: {
&quot;displayname&quot;: &quot;AWX ACME&quot;,
&quot;url&quot;: &quot;https://awx.example.com&quot;,
&quot;name&quot;: &quot;awxacme&quot;
}
}</pre>
</div>
<h4 id="saml_service_provider_technical_contact">SAML Service Provider Technical Contact</h4>
<div class="level4">
<p>
Technical Contact for the SP
</p>
<pre class="code">{
&quot;emailAddress&quot;: &quot;support@example.com&quot;,
&quot;givenName&quot;: &quot;Support ACME&quot;
}</pre>
</div>
<h4 id="saml_service_provider_support_contact">SAML Service Provider Support Contact</h4>
<div class="level4">
<p>
Support Contact for the SP
</p>
<pre class="code">{
&quot;emailAddress&quot;: &quot;support@example.com&quot;,
&quot;givenName&quot;: &quot;Support ACME&quot;
}</pre>
</div>
<h4 id="saml_enabled_identity_providers">SAML Enabled Identity Providers</h4>
<div class="level4">
<p>
This is the configuration of the IdP :
</p>
<pre class="code">{
&quot;lemonldap&quot;: {
&quot;attr_last_name&quot;: &quot;sn&quot;,
&quot;x509cert&quot;: &quot;SOXGp.....&quot;,
&quot;attr_username&quot;: &quot;uid&quot;,
&quot;entity_id&quot;: &quot;https://auth.example.com/saml/metadata&quot;,
&quot;attr_first_name&quot;: &quot;givenName&quot;,
&quot;attr_email&quot;: &quot;mail&quot;,
&quot;attr_user_permanent_id&quot;: &quot;uid&quot;,
&quot;url&quot;: &quot;https://auth.example.com/saml/singleSignOn&quot;
}
}</pre>
<ul>
<li class="level1"><div class="li"> &quot;attr_last_name&quot;: &quot;sn&quot; <abbr title="Security Assertion Markup Language">SAML</abbr> Attribute for the user last name</div>
</li>
<li class="level1"><div class="li"> &quot;x509cert&quot;: &quot;SOXGp.....&quot; the content of <code>lemonldap.crt</code> generated in the &quot;LLNG <abbr title="Security Assertion Markup Language">SAML</abbr> Certificate&quot; section</div>
</li>
<li class="level1"><div class="li"> &quot;attr_username&quot;: &quot;uid&quot; <abbr title="Security Assertion Markup Language">SAML</abbr> Attribute for the user username</div>
</li>
<li class="level1"><div class="li"> &quot;entity_id&quot;: &quot;<a href="https://auth.example.com/saml/metadata" class="urlextern" title="https://auth.example.com/saml/metadata" rel="nofollow">https://auth.example.com/saml/metadata</a>&quot; entityID of the IdP</div>
</li>
<li class="level1"><div class="li"> &quot;attr_first_name&quot;: &quot;givenName&quot; <abbr title="Security Assertion Markup Language">SAML</abbr> Attribute for the user first name</div>
</li>
<li class="level1"><div class="li"> &quot;attr_email&quot;: &quot;mail&quot; <abbr title="Security Assertion Markup Language">SAML</abbr> Attribute user for the user email</div>
</li>
<li class="level1"><div class="li"> &quot;attr_user_permanent_id&quot;: &quot;uid&quot; <abbr title="Security Assertion Markup Language">SAML</abbr> Attribute for the user unique id inside AWX</div>
</li>
<li class="level1"><div class="li"> &quot;url&quot;: &quot;<a href="https://auth.example.com/saml/singleSignOn" class="urlextern" title="https://auth.example.com/saml/singleSignOn" rel="nofollow">https://auth.example.com/saml/singleSignOn</a>&quot; <abbr title="Security Assertion Markup Language">SAML</abbr> <abbr title="Single Sign On">SSO</abbr> Url</div>
</li>
</ul>
<p>
Save your configuration.
</p>
</div>
<!-- EDIT6 SECTION "AWX" [1708-3983] -->
<h3 class="sectionedit7" id="lemonldapng">LemonLDAP:NG</h3>
<div class="level3">
<p>
We now have to define a service provider in LL:NG.
</p>
<p>
Go to &quot;<abbr title="Security Assertion Markup Language">SAML</abbr> service providers&quot;, click on &quot;Add <abbr title="Security Assertion Markup Language">SAML</abbr> SP&quot; and name it as you want (example : &#039;AWX&#039;)
</p>
<p>
In the new subtree &#039;AWX&#039;, open &#039;Metadata&#039; and paste the content of the AWX Metadatas, wich can be found at the
</p>
<pre class="code">SAML Service Provider Metadata URL</pre>
<p>
in AWX : <a href="https://awx.example.com/sso/metadata/saml/" class="urlextern" title="https://awx.example.com/sso/metadata/saml/" rel="nofollow">https://awx.example.com/sso/metadata/saml/</a>
</p>
<p>
<img src="awx-metadata.png" class="mediacenter" alt="" />
</p>
<p>
Now go in &quot;Exported attributes&quot; and add, the &#039;uid&#039;, &#039;sn&#039;, &#039;givenName&#039;, &#039;mail&#039;.
</p>
<p>
All four attributes are mandatory for AWX. Make sure they match the names of the attributes available in your LemonLDAP sessions.
</p>
<p>
<img src="awx-attr.png" class="mediacenter" alt="" />
</p>
<p>
Don&#039;t forget to save your configuration.
</p>
<p>
You are now good to go, and you can add the application in <a href="../portalmenu.html" class="wikilink1" title="documentation:2.0:portalmenu">your menu</a> and <a href="../configvhost.html#lemonldapng_configuration" class="wikilink1" title="documentation:2.0:configvhost">your virtual hosts</a>.
</p>
<p>
You should now have a <abbr title="Security Assertion Markup Language">SAML</abbr> button on the login page :
</p>
<p>
<img src="awx-saml-login.png" class="mediacenter" alt="" />
</p>
</div>
<!-- EDIT7 SECTION "LemonLDAP:NG" [3984-] --></div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink