From 1ca034b0a72cc8a365cbcc48a9ab38a3df203d7d Mon Sep 17 00:00:00 2001 From: jessicamack Date: Wed, 2 Oct 2024 12:47:08 -0400 Subject: Remove SAML authentication (#15568) * remove saml * remove license file and management command * update requirements, add migrations * remove unused imports --- docs/auth/README.md | 3 +- docs/auth/saml.md | 146 ---------------------------------------------------- 2 files changed, 1 insertion(+), 148 deletions(-) delete mode 100644 docs/auth/saml.md (limited to 'docs') diff --git a/docs/auth/README.md b/docs/auth/README.md index eaec48265c..fde844e6e6 100644 --- a/docs/auth/README.md +++ b/docs/auth/README.md @@ -3,8 +3,7 @@ This folder describes third-party authentications supported by AWX. These authen When a user wants to log into AWX, she can explicitly choose some of the supported authentications to log in instead of AWX's own authentication using username and password. Here is a list of such authentications: * OIDC (OpenID Connect) -On the other hand, the other authentication methods use the same types of login info (username and password), but authenticate using external auth systems rather than AWX's own database. If some of these methods are enabled, AWX will try authenticating using the enabled methods *before AWX's own authentication method*. The order of precedence is: -* SAML +On the other hand, the other authentication methods use the same types of login info (username and password), but authenticate using external auth systems rather than AWX's own database. If some of these methods are enabled, AWX will try authenticating using the enabled methods *before AWX's own authentication method*. ## Notes: * Enterprise users can only be created via the first successful login attempt from remote authentication backend. diff --git a/docs/auth/saml.md b/docs/auth/saml.md deleted file mode 100644 index 8b9425027c..0000000000 --- a/docs/auth/saml.md +++ /dev/null @@ -1,146 +0,0 @@ -# SAML -Security Assertion Markup Language, or SAML, is an open standard for exchanging authentication and/or authorization data between an identity provider (*i.e.*, LDAP) and a service provider (*i.e.*, AWX). More concretely, AWX can be configured to talk with SAML in order to authenticate (create/login/logout) users of AWX. User Team and Organization membership can be embedded in the SAML response to AWX. - - -# Configure SAML Authentication -Please see the [AWX documentation](https://ansible.readthedocs.io/projects/awx/en/latest/administration/ent_auth.html#saml-settings) for basic SAML configuration. Note that AWX's SAML implementation relies on `python-social-auth` which uses `python-saml`. AWX exposes three fields which are directly passed to the lower libraries: -* `SOCIAL_AUTH_SAML_SP_EXTRA` is passed to the `python-saml` library configuration's `sp` setting. -* `SOCIAL_AUTH_SAML_SECURITY_CONFIG` is passed to the `python-saml` library configuration's `security` setting. -* `SOCIAL_AUTH_SAML_EXTRA_DATA` - -See https://python-social-auth.readthedocs.io/en/latest/backends/saml.html#advanced-settings for more information. - - -# Configure SAML for Team and Organization Membership -AWX can be configured to look for particular attributes that contain AWX Team and Organization membership to associate with users when they log in to AWX. The attribute names are defined in AWX settings. Specifically, the authentication settings tab and SAML sub category fields *SAML Team Attribute Mapping* and *SAML Organization Attribute Mapping*. The meaning and usefulness of these settings is best communicated through example. - -### Example SAML Organization Attribute Mapping - -Below is an example SAML attribute that embeds user organization membership in the attribute *member-of*. -``` - - - Engineering - IT - HR - Sales - - - IT - HR - - -``` -Below, the corresponding AWX configuration: -``` -{ - "saml_attr": "member-of", - "saml_admin_attr": "administrator-of", - "remove": true, - 'remove_admins': true -} -``` -**saml_attr:** The SAML attribute name where the organization array can be found. - -**remove:** Set this to `true` to remove a user from all organizations before adding the user to the list of Organizations. Set it to `false` to keep the user in whatever Organization(s) they are in while adding the user to the Organization(s) in the SAML attribute. - -**saml_admin_attr:** The SAML attribute name where the organization administrators' array can be found. - -**remove_admins:** Set this to `true` to remove a user from all organizations that they are administrators of before adding the user to the list of Organizations admins. Set it to `false` to keep the user in whatever Organization(s) they are in as admin while adding the user as an Organization administrator in the SAML attribute. - -### Example SAML Team Attribute Mapping -Below is another example of a SAML attribute that contains a Team membership in a list: -``` - - - member - staff - - -``` - -``` -{ - "saml_attr": "eduPersonAffiliation", - "remove": true, - "team_org_map": [ - { - "team": "member", - "organization": "Default1" - }, - { - "team": "staff", - "organization": "Default2" - } - ] -} -``` -**saml_attr:** The SAML attribute name where the team array can be found. - -**remove:** Set this to `true` to remove user from all Teams before adding the user to the list of Teams. Set this to `false` to keep the user in whatever Team(s) they are in while adding the user to the Team(s) in the SAML attribute. - -**team_org_map:** An array of dictionaries of the form `{ "team": "", "organization": "" }` which defines mapping from AWX Team -> AWX Organization. This is needed because the same named Team can exist in multiple Organizations in Tower. The organization to which a team listed in a SAML attribute belongs to would be ambiguous without this mapping. - - -### Example SAML User Flags Attribute Mapping -SAML User flags can be set for users with global "System Administrator" (superuser) or "System Auditor" (system_auditor) permissions. - -Below is an example of a SAML attribute that contains admin attributes: -``` - - - Auditor - - - IT-Superadmin - - -``` - -These properties can be defined either by a role or an attribute with the following configuration options: -``` -{ - "is_superuser_role": ["awx_admins"], - "is_superuser_attr": "is_superuser", - "is_superuser_value": ["IT-Superadmin"], - "is_system_auditor_role": ["awx_auditors"], - "is_system_auditor_attr": "is_system_auditor", - "is_system_auditor_value": ["Auditor"] -} -``` - -**is_superuser_role:** Specifies a SAML role which will grant a user the superuser flag. - -**is_superuser_attr:** Specifies a SAML attribute which will grant a user the superuser flag. - -**is_superuser_value:** Specifies a specific value required for ``is_superuser_attr`` that is required for the user to be a superuser. - -**is_system_auditor_role:** Specifies a SAML role which will grant a user the system auditor flag. - -**is_system_auditor_attr:** Specifies a SAML attribute which will grant a user the system auditor flag. - -**is_system_auditor_value:** Specifies a specific value required for ``is_system_auditor_attr`` that is required for the user to be a system auditor. - - -If `role` and `attr` are both specified for either superuser or system_auditor the settings for `attr` will take precedence over a `role`. The following table describes how the logic works. -| Has Role | Has Attr | Has Attr Value | Is Flagged | -|----------|----------|----------------|------------| -| No | No | N/A | No | -| Yes | No | N/A | Yes | -| No | Yes | Yes | Yes | -| No | Yes | No | No | -| No | Yes | Unset | Yes | -| Yes | Yes | Yes | Yes | -| Yes | Yes | No | No | -| Yes | Yes | Unset | Yes | - - -### SAML Debugging -You can enable logging messages for the SAML adapter the same way you can enable logging for LDAP. On the logging settings page change the log level to `Debug`. -- cgit v1.2.3