Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Okta Idp SAML login failed: ['invalid_response'] (Signature validation failed. SAML Response rejected). #1929

Open
3 tasks done
kspradheep opened this issue Jul 29, 2024 · 0 comments
Open
3 tasks done

Okta Idp SAML login failed: ['invalid_response'] (Signature validation failed. SAML Response rejected). #1929

kspradheep opened this issue Jul 29, 2024 · 0 comments
Labels
community needs_triage

Comments

@kspradheep
Copy link

kspradheep commented Jul 29, 2024
edited
Loading

Please confirm the following

  • I agree to follow this project's code of conduct.
  • I have checked the current issues for duplicates.
  • I understand that the AWX Operator is open source software provided for free and that I might not receive a timely response.

Bug Summary

I have configured SAML within AWX through awx-operator and used below documentation as reference.
https://github.com/ansible/awx/blob/devel/docs/auth/saml.md
#1284 (comment)
https://medium.com/@sazipkin/setting-up-ansible-tower-with-okta-a132644be980
https://python-social-auth.readthedocs.io/en/latest/backends/saml.html#advanced-settings
https://groups.google.com/g/awx-project/c/rlnfNmX-YJE/m/PZQft_xIBQAJ

SAML workflow:

  1. The AWX (SP) login page shows an option to do saml login
  2. AWX redirects to Okta Single Sign-On URL
  3. After Okta login it goes back to AWX login page again and SAML login never works. I verified IdP x509 cert is valid in SAM request

AWX Web container logs:
100.x.x.x - - [25/Jul/2024:01:40:27 +0000] "POST /api/login/ HTTP/1.1" 401 5973 "https://awx.companydomain.net/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36" "10.x.x.x"
[pid: 20|app: 0|req: 5/10] 100.x.x.x () {80 vars in 1457 bytes} [Thu Jul 25 01:40:27 2024] POST /api/login/ => generated 5973 bytes in 229 msecs (HTTP/1.1 401) 10 headers in 470 bytes (1 switches on core 0)
100.x.x.x - - [25/Jul/2024:01:40:51 +0000] "GET /sso/login/saml/?idp=okta HTTP/1.1" 302 0 "https://awx.companydomain.net/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36" "10.x.x.x"
[pid: 22|app: 0|req: 4/11] 100.x.x.x () {76 vars in 1443 bytes} [Thu Jul 25 01:40:51 2024] GET /sso/login/saml/?idp=okta => generated 0 bytes in 207 msecs (HTTP/1.1 302) 12 headers in 1264 bytes (1 switches on core 0)
Signature validation failed. SAML Response rejected
2024-07-25 01:41:32,944 ERROR [f6819bcd33c84644add21d3d89e17e69] social Authentication failed: SAML login failed: ['invalid_response'] (Signature validation failed. SAML Response rejected).
100.x.x.x - - [25/Jul/2024:01:41:32 +0000] "POST /sso/complete/saml/ HTTP/1.1" 302 0 "https://companydomain.okta.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36" "10.x.x.x"
[pid: 20|app: 0|req: 8/14] 100.x.x.x () {80 vars in 1512 bytes} [Thu Jul 25 01:41:32 2024] POST /sso/complete/saml/ => generated 0 bytes in 82 msecs (HTTP/1.1 302) 10 headers in 461 bytes (1 switches on core 0)
100.x.x.x - - [25/Jul/2024:01:41:33 +0000] "GET /sso/error/ HTTP/1.1" 301 0 "https://companydomain.okta.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36" "10.x.x.x"
[pid: 24|app: 0|req: 1/15] 100.x.x.x () {76 vars in 1463 bytes} [Thu Jul 25 01:41:33 2024] GET /sso/error/ => generated 0 bytes in 79 msecs (HTTP/1.1 301) 10 headers in 463 bytes (1 switches on core 0)
100.x.x.x - - [25/Jul/2024:01:41:33 +0000] "GET / HTTP/1.1" 200 1044 "https://companydomain.okta.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36" "10.x.x.x"
[pid: 20|app: 0|req: 9/16] 100.x.x.x () {74 vars in 1443 bytes} [Thu Jul 25 01:41:33 2024] GET / => generated 1044 bytes in 23 msecs (HTTP/1.1 200) 9 headers in 438 bytes (1 switches on core 0)
100.x.x.x - - [25/Jul/2024:01:41:33 +0000] "GET /api/ HTTP/1.1" 200 186 "https://awx.companydomain.net/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36" "10.x.x.x"

AWX Operator version

2.19.0

AWX version

24.6.0

Kubernetes platform

kubernetes

Kubernetes/Platform version

1.29

Modifications

no

Steps to reproduce

  1. Okta settings:
    Single Sign-On URL: https://awx.companydomain.net/sso/complete/saml/
    Audience URI (SP Entity ID): https://awx.companydomain.net
    Default RelayState: (Nothing is here)
    Name ID Format: Unspecified
    Application Username: Okta Username

Advanced Settings:
Response: Signed
Assertion Signature: Signed
Signature Algorithm: RSA-SHA256
Digest Algorithm: SHA256
Assertion Encryption: Unencrypted
Single Logout: Not Enabled

Attribute Statements (with Name Format Unspecified):
FirstName
LastName
Email
UserName

Okta Attribute Values:
user.firstName
user.lastName
user.email
user.login

Group Attribute Statements (with Name Format Unspecified):
Groups

Okta Group Attribute Values:
.*

  1. AWX settings:
    extra_settings:

    • setting: TOWER_URL_BASE
      value: '"https://awx.companydomain.net"'
    • setting: SOCIAL_AUTH_SAML_SP_ENTITY_ID
      value: '"https://awx.companydomain.net"'
    • setting: SOCIAL_AUTH_SAML_ORG_INFO
      value: {
      "en-US": {
      "name": "Ansible AWX",
      "url": "https://awx.companydomain.net",
      "displayname": "Ansible AWX"
      }
      }
    • setting: SOCIAL_AUTH_SAML_SP_PUBLIC_CERT
      value: '"-----BEGIN CERTIFICATE-----\nONELINECERT-----\nEND CERTIFICATE-----"'
    • setting: SOCIAL_AUTH_SAML_SP_PRIVATE_KEY
      value: '"-----BEGIN PRIVATE KEY-----\nONELINECERT-----\nEND PRIVATE KEY-----"'
    • setting: SOCIAL_AUTH_SAML_TECHNICAL_CONTACT
      value: {
      "emailAddress": "it-devops@companydomain",
      "givenName": "okta user fName lName"
      }
    • setting: SOCIAL_AUTH_SAML_SUPPORT_CONTACT
      value: {
      "emailAddress": "it-devops@companydomain",
      "givenName": "okta user fName lName"
      }
    • setting: SOCIAL_AUTH_SAML_SECURITY_CONFIG
      value: {
      "requestedAuthnContext": false
      }
    • setting: SOCIAL_AUTH_SAML_SP_EXTRA
      value: {}
    • setting: SOCIAL_AUTH_SAML_EXTRA_DATA
      value: []
    • setting: SOCIAL_AUTH_SAML_ENABLED_IDPS
      value: {
      "okta": {
      "entity_id": "http://www.okta.com/",
      "url": "https://companydomain.okta.com/app///sso/saml",
      "x509cert": "ONELINECERT",
      "attr_first_name": "FirstName",
      "attr_last_name": "LastName",
      "attr_email": "Email",
      "attr_username": "UserName",
      "attr_user_permanent_id": "Email"
      }
      }
    • setting: SOCIAL_AUTH_SAML_ORGANIZATION_MAP
      value: {
      "Default": {
      "users": true
      }
      }
    • setting: SOCIAL_AUTH_SAML_TEAM_MAP
      value: {}
    • setting: SOCIAL_AUTH_SAML_ORGANIZATION_ATTR
      value: {}
    • setting: SOCIAL_AUTH_SAML_TEAM_ATTR
      value: {}
    • setting: SOCIAL_AUTH_SAML_USER_FLAGS_BY_ATTR
      value: {}

    Note: Used awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' certfilename to output single line certificate

  2. Okta SAML login from AWX fails and redirects to AWX login page

Expected results

SAML login should work

Actual results

social Authentication failed: SAML login failed: ['invalid_response'] (Signature validation failed. SAML Response rejected) and redirects to AWX login page

Additional information

No response

Operator Logs

No response
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
community needs_triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@kspradheep