Using two-factor SAML with Ansible Tower

December 19, 2017 by Chris Meyers

Tower Two Factor Login

In a previous post, I explained how Red Hat Ansible Tower works with SAML. A little known fact about Ansible Tower is that it supports two-factor SAML. More precisely, Ansible Tower can be configured to not disallow SAML with two-factor. Ansible Tower relies heavily on django-social-auth, which comes with a SAML backend, which relies heavily on python-saml. python-saml contains a default setting, specifically requestedAuthnContext, that, put simply, requests that the idp authenticate the user using a password. To reiterate, Ansible Tower will ask for the user to be authenticated by a password and not be given the choice to authenticate the user by two-factor.

In order to allow the IDP to choose two-factor, we need to not ask it to authenticate using password. More specifically, we need to not include the samlp:RequestedAuthnContext directive at all. Ansible Tower shouldn’t be making the presumption about the IDP’s authentication methods on the other side. Maybe the IDP supports calling the employee on the phone to authenticate. This is a decision that should be made by the IDP.

Let’s see how we make this happen. Create the file /etc/tower/conf.d/saml.py with the following content:


"SOCIAL_AUTH_SAML_SECURITY_CONFIG": {
	"requestedAuthnContext": False
}

Then issue ansible-tower-service restart. That’s it. But how can you verify things are working as expected? I’ll tell you...

Go to your Ansible Tower or AWX login screen and click the sign in with SAML (idp) button


image1.png


You will then be redirected to your configured SAML idp. I have OneLogin configured for this blog post. Your SAML DevTools tab should now show the request that your browser sent to the idp. Note the samlp:RequestedAuthnContext directive. The existence of this directive indicates that requestedAuthnContext is set to the default, True.

image2.png


Once requestedAuthnContext is set to false (how to was described previously in this blog post), samlp:RequestedAuthnContext should not exist in this payload.

With requestedAuthnContext set to false, Ansible Tower will not request that the user be authenticated using a password and the idp is free to choose whatever authentication method (i.e. two-factor) it wants to.

Note: In a future release of Ansible Tower (>= 3.3.0) requestedAuthnContext will default to False, effectively allowing two-factor to work out of the box.

Share:

Topics:
Ansible Tower, AWX


 

Chris Meyers

Chris is a Senior Software Engineer, Ansible, contributing Red Hat Ansible Tower backend APIs. Before Ansible, Chris worked on projects like a mobile food ordering system for stadium concessions and a remote control cat video laser device. To learn more about those you can follow him on Twitter at @oldmanmeyers85.


rss-icon  RSS Feed

Ansible Tower by Red Hat
Ansible Fest Austin 2018
Learn About Ansible Tower