Set up Ansible Tower

Configuring Ansible Tower to authenticate with SAML2 enterprise authentication using Ipsilon.

This guide describes how to set up Ansible Tower to authenticate against Ipsilon as a SAML2 SP, with automatic account creation on login.

This guide has been tested with:

  • Enterprise Linux 7.2
  • IPA 4.2.0 (As shipped in EL7)
  • Ipsilon 1.0.0 (Tech Preview in EL7.2)
  • Ansible Tower Enterprise 2.4.3

but is known to work with other versions.


Configure Tower

Generate a new certificate and key to be used for the SAML SP side (for the Common Name of the certificate you can enter anything, as only the key part is used):

openssl genrsa -out server.key 4096
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

On the Tower server open /etc/tower/conf.d/, and set the following settings: You can enter anything here, but this will need to be unique across all SPs in Ipsilon:


Enter the contents of server.crt here:

-----END CERTIFICATE-----'''

Enter the contents of server.key here:

-----END RSA PRIVATE KEY-----'''

The last field to change has x509cert, which are the contents of /var/lib/ipsilon/idp/saml2/idp.pem on the Ipsilon server, and two urls to te Ipsilon instance. The attribute mapping, which are the attr_ values in this field, depend on the type of backend authentication provider you use, but these values work for IPA.

        'entity_id': '',
        'url': '',
        'x509cert': '''-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----''',
        'attr_user_permanent_id': 'name_id',
        'attr_first_name': 'givenname',
        'attr_last_name': 'surname',
        'attr_username': 'name_id',
        'attr_email': 'email',

After this, just "ansible-tower-service restart" and you're done for the Tower part of things.

Configure Ipsilon:

Go to your Ipsilon web management URL, and login as an administrator account. Then go to Administration -> Identity Providers -> SAML2 -> Manage, and click Add New. For name you can enter anything you like, for Metadata URL enter: (where is your Tower server URL).

Now click Add, and you should be all set.

If this errors out, or the Ipsilon server cannot access the Tower server directly, just open this URL in your browser, and copy and paste the entire contents into the Metadata Text field.

Try it out

Go to your Tower URL, log out (if you were logged in), and beneath the Password field you should have a text saying "Sign in with: (S)", where the S is a button. Click the button, and you should be forwarded to Ipsilon to login, and afterwards be redirected back to Tower, logged in!

Note that you might get a 403 "Permission Denied", but that's because the newly generated user doesn't have any permissions by default.

For that, please either login to the admin account and grant them, or check the Tower documentation on how to set up User to Organization mapping.