Two-Factor Authentication (2FA) is an additional layer of security that can be used to help protect enterprise applications from unauthorized access. While OAuth, and even some LDAP configs are viable options to enable 2FA in Ansible Automation Platform, users prefer to leverage Security Assertion Markup Language (SAML) for this purpose, as described in Using two-factor SAML with Red Hat Ansible Tower. On the other hand, 2FA to managed machines is discouraged.
https://pixabay.com/illustrations/eye-iris-biometrics-2771174/
SAML is an open standard that allows Identity Providers (IdP) exchange authorization credentials with a Service Provider (SP). The IdP supplies an XML document—known as assertion—to the SP to deliver a series of attributes that identify the login user.
These attributes can be used in Ansible Automation Platform to determine the team and organization of a user. Let’s explore an example, with Microsoft Azure’s Active Directory as the IdP (and, of course, Ansible Automation Platform as the SP).
Attribute mapping
The goal of this example is to map users from four different groups (Alpha, Beta, Gamma and Delta) to either the Cloud or Network Organization in Ansible Tower, and make them part of a specific team (Engineering or Operations). Ansible Tower is the control plane for Ansible Automation Platform and includes a webUI and RESTful API.
This post will cover three areas:
- Azure Active Directory settings
- Ansible Tower settings
- User login example
Azure Active Directory settings
The IdP in this example is Azure’s Active Directory where four test users are set up: Test 1, Test 2, Test 3 and Test 4 to validate the different team and organization combinations in Ansible Tower.
Each user is a member of a different group.
User groups in Azure’s AD
User Test 4 is a member of the group Delta, for example. We will use the Object Id of the group (`d80919f6-7...`) for mapping purposes later.
Delta group members in Azure’s AD
Enable users for SAML
These users need to be enabled to use SAML in Azure’s Active Directory. Go to Enterprise Application > Azure AD SAML Toolkit > Users and groups.
SAML enabled users in Azure’s AD
SAML attributes and claims
Next, the attributes that identify the login user should be defined. A number of them are included by default in Azure’s Active Directory. Group and organization are the only two that were manually added from the capture below.
User SAML attributes in Azure’s AD
Claim the Group ID as an attribute
The attribute group was added by clicking edit in User Attributes & Claims.
Adding a SAML attributes in Azure’s AD
The attribute “http://schemas.microsoft.com/.../claims/groups” is mapped to the Group ID of the group(s) the user is a member of (or Object Id as displayed in the groups table).
Adding the Group ID as a SAML attributes in Azure’s AD
The organization attribute is mapped to the department in Active Directory of the user.
Ansible Tower settings
With the IdP setting is ready, it’s time to look at the SP, i.e. Ansible Tower. The SAML config can be found in Settings > Authentication and click on the SAML tab.
SAML settings in Ansible Tower
The following SAML sections need to be configured.
Service provider organization info
These values identify the Ansible Tower instance that acts as the service provider.
{
"en-US": {
"displayname": "Tower",
"name": "ansible",
"url": "https://tower.nleiva.com"
}
}
SAML Service Provider Organization Info in Ansible Tower
Enabled identity providers
The information for this section can be found in Azure’s Active Directory.
{
"azure": {
"attr_user_permanent_id": "name_id",
"attr_first_name": "http://schemas.xmlsoap.org/.../claims/givenname",
"x509cert": "MIIC8DCCAdigAwIBAgIQYWF6cR/QnINMGv5oFZKSYzAN.../a",
"entity_id": "https://sts.windows.net/4821e3da-...9/",
"attr_email": "http://schemas.xmlsoap.org/.../claims/emailaddress",
"attr_username": "http://schemas.microsoft.com/.../claims/displayname",
"attr_last_name": "http://schemas.xmlsoap.org/.../claims/surname",
"url": "https://login.microsoftonline.com/4821e3da-...9/saml2"
}
}
SAML Enabled Identity Providers in Ansible Tower
It’s key to download the SAML Signing Certificate and copy the Login URL and Azure AD Identifier in Azure AD SAML Toolkit section to complete the previous configuration.
Azure AD SAML Toolkit section
Organization attribute mapping
Both users and teams can be members of an organization. We use the organization mapping attribute configuration to tell Ansible Tower what organization users belong to.
In this example, an attribute with the name organization, which in Azure’s Active Directory maps to user.department per our configuration, determines which organization the user will be placed in Ansible Tower.
{
"saml_attr": "organization",
"remove": true
}
SAML Organization Attribute Mapping
Team attribute mapping
In this section, a specific value of a SAML attribute derives the user’s team placement and to which organization the team belongs. The attribute selected is defined with the key saml_attr, in the example: “http://schemas.microsoft.com/.../claims/groups”.
As a result, user Test 4, which is a Delta group member in AD (group with Object Id = d80919f6-7...), maps to the team Operations in the Network organization.
{
"remove": true,
"team_org_map": [
{
"team": "cebdeb54-...",
"organization": "Cloud",
"team_alias": "Engineering"
},
{
"team": "70960a1c-...",
"organization": "Cloud",
"team_alias": "Operations"
},
{
"team": "23298faf-...",
"organization": "Network",
"team_alias": "Engineering"
},
{
"team": "d80919f6-...",
"organization": "Network",
"team_alias": "Operations"
}
],
"saml_attr": "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"
}
SAML Team Attribute Mapping
User login example
When logging in, the user needs to click on SIGN IN WITH (S) -> SAML.
Ansible Tower landing page
The user will be redirected to Azure for authentication.
Azure’s login page
We log in with Test 4 user credentials.
Azure’s login page
Two-factor authentication (2FA) will then kick in.
Azure 2FA
After approving this request with our mobile device, user Test 4 can access Ansible Tower. This user is now a member of the team Operations.
User Teams
This team is in the Network organization.
Team details
Optionally, the user by itself can be also made part of the Organization.
User Organizations
Conclusion
SAML provides a practical approach to integrate Azure Active Directory with Ansible Automation Platform, allowing us to take advantage of the user management capabilities AD offers.
If you'd like to dive deeper, take a look at:
- Ansible Tower RBAC and authentication links
- Using SAML with Ansible Tower (2017)
- Using two-factor SAML with Ansible Tower (2017)
- How to configure SAML authentication with Azure AD in Ansible Tower
Do you need a trial of Ansible Automation Platform? Go to red.ht/try_ansible.
About the author
Browse by channel
Automation
The latest on IT automation that spans tech, teams, and environments
Artificial intelligence
Explore the platforms and partners building a faster path for AI
Open hybrid cloud
Explore how we build a more flexible future with hybrid cloud
Security
Explore how we reduce risks across environments and technologies
Edge computing
Updates on the solutions that simplify infrastructure at the edge
Infrastructure
Stay up to date on the world’s leading enterprise Linux platform
Applications
The latest on our solutions to the toughest application challenges
Original shows
Entertaining stories from the makers and leaders in enterprise tech
Products
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Cloud services
- See all products
Tools
- Training and certification
- My account
- Developer resources
- Customer support
- Red Hat value calculator
- Red Hat Ecosystem Catalog
- Find a partner
Try, buy, & sell
Communicate
About Red Hat
We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.
Select a language
Red Hat legal and privacy links
- About Red Hat
- Jobs
- Events
- Locations
- Contact Red Hat
- Red Hat Blog
- Diversity, equity, and inclusion
- Cool Stuff Store
- Red Hat Summit