You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I understand that AWX is open source software provided for free and that I might not receive a timely response.
I am NOT reporting a (potential) security vulnerability. (These should be emailed to [email protected] instead.)
Bug Summary
We are trying to migrate off LDAP in favor of Okta SAML.
While we are testing the integration with Okta, we are encountering many issues with existing users trying to log in with Okta for the first time.
This results with users losing permissions and new AWX teams being created based on the users' Okta groups' names.
Which floods AWX with non-used AWX teams.
AWX version
AWX 24.6.1
Select the relevant components
UI
UI (tech preview)
API
Docs
Collection
CLI
Other
Installation method
kubernetes
Modifications
no
Ansible version
AWX 24.6.1
Operating system
No response
Web browser
Chrome
Steps to reproduce
Setup Okta SAML integration.
Setup the saml team map based on the okta group and AWX teams.
Give a specific team execute permission (use one of the team the is setup in the mapping)
try login through Okta and verify you have ability to execute job template.
Expected results
I expect to see the user's permissions granted based on the existing AWX teams and the user assigned to the correct AWX team.
Actual results
New teams are being created based on the Okta group name.
Users are not assigned to existing AWX teams with the permissions assigned to the team.
This results the users losing their permissions when they try to log in for the first time from Okta and not with LDAP.
Additional information
In LDAP, it is possible to take an LDAP CN of LDAP Group and map it to an exisiting AWX Team, and is working perfectly and no issues there.
When it comes to the SAML, I do see the main issue.
AWX is expecting to get 2 different saml attributes:
The problem is that Okta works differently. Okta sends one attribute called "Groups" in the saml response and lists all of the Okta Groups a user is assigned to.
There is no way to list "admin-of" groups because in Okta, even though you're an admin of an Okta group, it will not list it as an admin of a group.
Comparing how LDAP works, you can specify the LDAP groups to be mapped into existing AWX teams, and it works perfectly. However, in Saml, it works differently for some reason, messing up our current user and teams assigning.
The text was updated successfully, but these errors were encountered:
Please confirm the following
[email protected]instead.)Bug Summary
We are trying to migrate off LDAP in favor of Okta SAML.
While we are testing the integration with Okta, we are encountering many issues with existing users trying to log in with Okta for the first time.
This results with users losing permissions and new AWX teams being created based on the users' Okta groups' names.
Which floods AWX with non-used AWX teams.
AWX version
AWX 24.6.1
Select the relevant components
Installation method
kubernetes
Modifications
no
Ansible version
AWX 24.6.1
Operating system
No response
Web browser
Chrome
Steps to reproduce
Setup Okta SAML integration.
Setup the saml team map based on the okta group and AWX teams.
Give a specific team execute permission (use one of the team the is setup in the mapping)
try login through Okta and verify you have ability to execute job template.
Expected results
I expect to see the user's permissions granted based on the existing AWX teams and the user assigned to the correct AWX team.
Actual results
New teams are being created based on the Okta group name.
Users are not assigned to existing AWX teams with the permissions assigned to the team.
This results the users losing their permissions when they try to log in for the first time from Okta and not with LDAP.
Additional information
In LDAP, it is possible to take an LDAP CN of LDAP Group and map it to an exisiting AWX Team, and is working perfectly and no issues there.
When it comes to the SAML, I do see the main issue.
AWX is expecting to get 2 different saml attributes:
One for the members and one for the admins as described here (https://github.com/ansible/awx/blob/devel/docs/auth/saml.md#example-saml-organization-attribute-mapping)
The problem is that Okta works differently. Okta sends one attribute called "Groups" in the saml response and lists all of the Okta Groups a user is assigned to.
There is no way to list "admin-of" groups because in Okta, even though you're an admin of an Okta group, it will not list it as an admin of a group.
Comparing how LDAP works, you can specify the LDAP groups to be mapped into existing AWX teams, and it works perfectly. However, in Saml, it works differently for some reason, messing up our current user and teams assigning.
The text was updated successfully, but these errors were encountered: