Configure Ansible Tower SAML auth using Red Hat SSO (Keycloak)

Leverage Red Hat SSO (Keycloak) as an authentication provider for Ansibler Tower (AWX)

JR Morgan

4 minute read

Overview

While there is a great write-up on configuring SAML auth for Ansible Tower pubished on the Red Hat Ansible Blog, it’s pretty dated and there are better ways to work with certificate

Deploy Red Hat SSO

If you don’t already have a production instance of Red Hat SSO (RHSSO) available, you can quickly stand-up a test instance using the official, Red Hat-provided image. Log-in first, and then pull down a the latest SSO 7.4 image. While this is typically deployed atop OpenShift via application template, we’re going to run it with docker/podman.

## Use your valid RHN credentials to authenticate against the registry
docker login registry.redhat.io
docker pull registry.redhat.io/rh-sso-7/sso74-openshift-rhel8

Now spin-up a container using that image and specify a few environment variables to initialize this non-production instance of RHSSO. When possible use :

docker run --detach \
    -e VIRTUAL_HOST=sso.int.shifti.us \
    -e VIRTUAL_PROTO=http \
    -e VIRTUAL_PORT=8080 \
    -e SSO_HOSTNAME=sso.int.shifti.us \
    -e SSO_ADMIN_USERNAME=admin \
    -e SSO_ADMIN_PASSWORD=admin \
    --hostname sso.int.shifti.us \
    --publish 8080:8080 \
    --name rhsso \
    --restart always \
    registry.redhat.io/rh-sso-7/sso74-openshift-rhel8

You likely won’t need any of the VIRTUAL_ environment variable parameters unless you’re also using jwilder/nginx-proxy. The SSO_ environment variables configure the initial admin username/password and SSO hostname. You should not use this for production as there is no storage persistence with the above config – all of your configured realms, settings, etc. will be reset to default when the container restarts.

While you can use a Keycloak image, and the configuration is nearly identical, just note environment variable parameters will be different.

Configure Red Hat SSO

Now we need to configure a realm and client that will be used by Ansible Tower.

  1. Login to the Red Hat SSO admin dashboard (U: admin/P: admin) by accessing: https://sso.int.shifti.us/auth/admin – note that you may need to append port TCP8080 if you’re not using a reverse proxy
  2. You’ll land in the Master realm by default. > a. Click the Master realm name, then click the “Add Realm” buttom from the dropdown menu > b. Type your new realm name (e.g. “Tower”) and click the “Create” button
  3. Once created, you’ll land in the Tower realm
  4. Navigate to “Client Scopes” and click the “Create” button

This is where we break from examples described elsewhere. Mappers, which are used to transform or map information between the client application and auth server, can be applied to individual client apps or multiple client apps ( via “Client Scopes”). By configuring the mappers using “Client Scopes,” we can later add other Ansible Tower deployments as realm “Clients” without manually configuring mappings.

  1. Name the new “Client Scope” (e.g. “Tower”). Click the “Mappers” tab and create the necessary mappers for user properties (e.g. user_name, email, first_name, last_name) and attributes (e.g. user_permanent_id).
  2. Modify the existing “Client Scope” named role_list. Click the “Mappers” tab and choose “role list”. Ensure “Single Role Attribute” is set to ON or you may encounter a “Duplicate Attrribute” error
  3. Grab the SAML Service Provider Metadata URL from your Ansible Tower (e.g. https://control.int.shifti.us/sso/metadata/saml/) and save to a local file:
curl -k -L https://control.int.shifti.us/sso/metadata/saml/ > client-import.xml
  1. Create a new “Client” in your realm by uploading the client-import.xml file retrieved in the previous step
  2. Toggle the appropriate settings
  3. Click the “SAML Keys” tab and click the Generate new keys button – this will generate the missing private key
  4. Export the generated keys, selecting PKCS12 for the archive format and inputting a key password and store password of your choosing
  5. Convert and decrypt the exported keystore.p12:
# Pull out the public certs and private, encrypted key
openssl pkcs12 -in keystore.p12 -out keystore.txt

# Decrypt the private key
openssl rsa -in keystore.txt -out keystore.unencrypted
  1. Use the decrypted private key in keystore.unencrypted and the last public certificate listed in keystore.txt, which corresponds to the certificate used by the client’s parent realm

Note that you’ll also be using a single-line formatted version of the last public certificate listed in keystore.txt, too. This can be easily retrieved from the “Keys” page under “Realm Settings” by clicking the “Certificate” button associated with algorithm “RS256”. You could also execute this sed command and use the contents within the last BEGIN CERTIFICATE and END CERTIFICATE block:

sed ':a;N;$!ba;s/\n//g' < keystore.txt
  1. Create sample users within the realm you’ve configured with the Ansible Tower client. One of these users will be mapped as an “Organization Admin” in the next section

Configure Red Hat Ansible Tower

  1. SAML Service Provider Organization Info
{
"en-US": {
"name": "RHSSO",
"url": "https://sso.int.shifti.us",
"displayname": "RHSSO"
}
}
  1. SAML Service Provider Technical Contact
{
"emailAddress": "iamnobodi@shifti.us",
"givenName": "JR Morgan"
}
  1. SAML Service Provider Support Contact
{
"emailAddress": "iamnobodi@shifti.us",
"givenName": "JR Morgan"
}
  1. SAML Enabled Identity Providers
{
"RHSSO": {
"attr_email": "email",
"entity_id": "https://sso.int.shifti.us/auth/realms/Tower",
"x509cert": "${CERT_CONTENT}",
"attr_username": "username",
"attr_last_name": "last_name",
"attr_user_permanent_id": "name_id",
"attr_groups": "groups",
"url": "https://sso.int.shifti.us/auth/realms/Tower/protocol/saml",
"attr_first_name": "first_name"
}
}
  1. SAML Organization Map
{
"GXR": {
"users": true,
"remove_users": false,
"admins": [
 "jrmorgan@redhat.com",
 "testuser@redhat.com"
],
"remove_admins": false
}
}
comments powered by Disqus