Configuring Ansible Tower to authenticate with SAML2 enterprise authentication using Ipsilon.
This guide describes how to set up Ansible Tower to authenticate against Ipsilon as a SAML2 SP, with automatic account creation on login.
This guide has been tested with:
but is known to work with other versions.
Generate a new certificate and key to be used for the SAML SP side (for the Common Name of the certificate you can enter anything, as only the key part is used):
openssl genrsa -out server.key 4096
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
On the Tower server open /etc/tower/conf.d/social_auth.py, and set the following settings: You can enter anything here, but this will need to be unique across all SPs in Ipsilon:
SOCIAL_AUTH_SAML_SP_ENTITY_ID = 'https://tower.mycompany.com'
Enter the contents of server.crt here:
SOCIAL_AUTH_SAML_SP_PUBLIC_CERT = '''-----BEGIN CERTIFICATE-----
MIIFADCCAugCC......
-----END CERTIFICATE-----'''
Enter the contents of server.key here:
SOCIAL_AUTH_SAML_SP_PRIVATE_KEY = '''-----BEGIN RSA PRIVATE KEY-----
MIIJKAIBAAKCAgEAnxsd9V/L.....
-----END RSA PRIVATE KEY-----'''
The last field to change has x509cert, which are the contents of /var/lib/ipsilon/idp/saml2/idp.pem on the Ipsilon server, and two urls to te Ipsilon instance. The attribute mapping, which are the attr_ values in this field, depend on the type of backend authentication provider you use, but these values work for IPA.
SOCIAL_AUTH_SAML_ENABLED_IDPS = {
'MyIpsilon':
'entity_id': 'https://myidp.example.com/idp/saml2/metadata',
'url': 'https://myidp.example.com/idp/saml2/SSO/Redirect',
'x509cert': '''-----BEGIN CERTIFICATE-----
MIIDFTCCAf2g....
-----END CERTIFICATE-----''',
'attr_user_permanent_id': 'name_id',
'attr_first_name': 'givenname',
'attr_last_name': 'surname',
'attr_username': 'name_id',
'attr_email': 'email',
},
After this, just "ansible-tower-service restart" and you're done for the Tower part of things.
Go to your Ipsilon web management URL, and login as an administrator account. Then go to Administration -> Identity Providers -> SAML2 -> Manage, and click Add New. For name you can enter anything you like, for Metadata URL enter: https://tower.example.com/sso/metadata/saml/ (where tower.example.com is your Tower server URL).
Now click Add, and you should be all set.
If this errors out, or the Ipsilon server cannot access the Tower server directly, just open this URL in your browser, and copy and paste the entire contents into the Metadata Text field.
Go to your Tower URL, log out (if you were logged in), and beneath the Password field you should have a text saying "Sign in with: (S)", where the S is a button. Click the button, and you should be forwarded to Ipsilon to login, and afterwards be redirected back to Tower, logged in!
Note that you might get a 403 "Permission Denied", but that's because the newly generated user doesn't have any permissions by default.
For that, please either login to the admin account and grant them, or check the Tower documentation on how to set up User to Organization mapping.