{"id":16224,"date":"2023-03-21T23:28:42","date_gmt":"2023-03-21T23:28:42","guid":{"rendered":"https:\/\/www.insentragroup.com\/us\/insights\/uncategorized\/integrating-azure-saml-with-ansible-automation-platform-for-attribute-based-access-control\/"},"modified":"2024-12-13T02:00:13","modified_gmt":"2024-12-13T02:00:13","slug":"integrating-azure-saml-with-ansible-automation-platform-for-attribute-based-access-control","status":"publish","type":"post","link":"https:\/\/www.insentragroup.com\/us\/insights\/geek-speak\/modern-workplace\/integrating-azure-saml-with-ansible-automation-platform-for-attribute-based-access-control\/","title":{"rendered":"Integrating Azure SAML with Ansible Automation Platform for Attribute-Based Access Control"},"content":{"rendered":"\n<p>Associating SAML attributes with organizations and teams in <a href=\"https:\/\/www.insentragroup.com\/us\/services\/technology-partners\/\" target=\"_blank\" rel=\"noreferrer noopener\">Red Hat Ansible Automation Platform.<\/a>\u00a0<\/p>\n\n\n\n<p>SAML is an openly available protocol that permits Identity Providers (IdP) to transfer authorization credentials to a Service Provider (SP). Through this, the IdP delivers an XML document, also known as an assertion, to the SP which contains a set of attributes that identify the user who is logging in.\u00a0<\/p>\n\n\n\n<p>In Ansible Automation Platform, these attributes can be utilized to determine the organization and team of the user. To illustrate this, let&#8217;s consider an example where <a href=\"https:\/\/azure.microsoft.com\/en-us\/services\/active-directory\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Microsoft Azure&#8217;s Active Directory<\/a> functions as the IdP, and Ansible Automation Platform serves as the SP.\u00a0<\/p>\n\n\n\n<p>The following procedure outlines all the required steps to enable SAML authentication on AAP:&nbsp;&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Navigate to Azure portal: http:\/\/portal.azure.com&nbsp;&nbsp;<\/li>\n\n\n\n<li>Log in ensuring you have enough permissions to create Enterprise Application\/Azure AD SAML Toolkit&nbsp;<\/li>\n\n\n\n<li>In the Search Resources, type: Enterprise Applications<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img fetchpriority=\"high\" decoding=\"async\" width=\"743\" height=\"370\" src=\"https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/04\/image-15.png\" alt=\"\" class=\"wp-image-16225\" srcset=\"https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/04\/image-15.png 743w, https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/04\/image-15-300x149.png 300w\" sizes=\"(max-width: 743px) 100vw, 743px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Click on New Application&nbsp;<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"744\" height=\"371\" src=\"https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/04\/image-16.png\" alt=\"\" class=\"wp-image-16227\" srcset=\"https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/04\/image-16.png 744w, https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/04\/image-16-300x150.png 300w\" sizes=\"(max-width: 744px) 100vw, 744px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>In the Browse Azure AD Gallery, type Toolkit and click on Azure AD SAML Toolkit<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"747\" height=\"442\" src=\"https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/04\/image-17.png\" alt=\"\" class=\"wp-image-16229\" srcset=\"https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/04\/image-17.png 747w, https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/04\/image-17-300x178.png 300w\" sizes=\"(max-width: 747px) 100vw, 747px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Specify the name of the new application in a new window and click Create:&nbsp;<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"746\" height=\"341\" src=\"https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/04\/image-18.png\" alt=\"\" class=\"wp-image-16231\" srcset=\"https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/04\/image-18.png 746w, https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/04\/image-18-300x137.png 300w\" sizes=\"(max-width: 746px) 100vw, 746px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You can expect a view similar to the following:&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"994\" height=\"419\" src=\"https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/04\/image-19.png\" alt=\"\" class=\"wp-image-16233\" srcset=\"https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/04\/image-19.png 994w, https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/04\/image-19-300x126.png 300w, https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/04\/image-19-768x324.png 768w\" sizes=\"(max-width: 994px) 100vw, 994px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Click on Assign Users and groups&nbsp;<\/li>\n\n\n\n<li>Click on Add User\/Group and select all required groups, making sure the ID is also noted down. Click Assign&nbsp;<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><strong>Group<\/strong>&nbsp;<\/td><td><strong>ID<\/strong>&nbsp;<\/td><\/tr><tr><td>team-cloud-site-reliability-engineering-sandpit&nbsp;<\/td><td>411605cd-d9b0-40f3-b9c2-dbda5b2f2ede&nbsp;<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Once all the groups are selected, click Select. You should see the result similar to the following:&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"747\" height=\"345\" src=\"https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/04\/image-20.png\" alt=\"\" class=\"wp-image-16235\" srcset=\"https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/04\/image-20.png 747w, https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/04\/image-20-300x139.png 300w\" sizes=\"(max-width: 747px) 100vw, 747px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>In the left pane, click Single sign-on and select SAML:&nbsp;<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"995\" height=\"325\" src=\"https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/04\/image-21.png\" alt=\"\" class=\"wp-image-16237\" srcset=\"https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/04\/image-21.png 995w, https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/04\/image-21-300x98.png 300w, https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/04\/image-21-768x251.png 768w\" sizes=\"(max-width: 995px) 100vw, 995px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"438\" src=\"https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/04\/image-22.png\" alt=\"\" class=\"wp-image-16239\" srcset=\"https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/04\/image-22.png 1024w, https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/04\/image-22-300x128.png 300w, https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/04\/image-22-768x329.png 768w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Specify the following for Basic SAML Configuration and populate the fields as per the table below:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td>Field&nbsp;<\/td><td>Value&nbsp;<\/td><td>Description&nbsp;<\/td><\/tr><tr><td>Identifier (Entity ID)&nbsp;<\/td><td>https:\/\/aap01.example.net&nbsp;<\/td><td>Unique Identifier. Can be anything as long as the value in Azure SAML and on AAP will be the same&nbsp;<\/td><\/tr><tr><td>Reply URL&nbsp;<\/td><td>https:\/\/ aap01.example.net \/sso\/complete\/saml\/&nbsp;<\/td><td>Reply URL. See the note below&nbsp;<\/td><\/tr><tr><td>Sing on URL&nbsp;<\/td><td>https:\/\/aap01.example.net \/&nbsp;<\/td><td>URL of the AAP Controller&nbsp;<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>Note: <strong>Reply URL<\/strong> Can be found in AAP configuration. Click on Settings &#8211;&gt; SAML and find SAML Assertion Consumer Service URL:&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"992\" height=\"291\" src=\"https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/04\/image-23.png\" alt=\"\" class=\"wp-image-16241\" srcset=\"https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/04\/image-23.png 992w, https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/04\/image-23-300x88.png 300w, https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/04\/image-23-768x225.png 768w\" sizes=\"(max-width: 992px) 100vw, 992px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Click on <strong>Edit <\/strong>in Attributes and Claims:&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"992\" height=\"836\" src=\"https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/04\/image-24.png\" alt=\"\" class=\"wp-image-16243\" srcset=\"https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/04\/image-24.png 992w, https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/04\/image-24-300x253.png 300w, https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/04\/image-24-768x647.png 768w\" sizes=\"(max-width: 992px) 100vw, 992px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Add Group ID as an attribute and click Save&nbsp;<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"997\" height=\"458\" src=\"https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/04\/image-25.png\" alt=\"\" class=\"wp-image-16245\" srcset=\"https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/04\/image-25.png 997w, https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/04\/image-25-300x138.png 300w, https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/04\/image-25-768x353.png 768w\" sizes=\"(max-width: 997px) 100vw, 997px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The list of Claims will resemble the following:&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"744\" height=\"456\" src=\"https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/04\/image-26.png\" alt=\"\" class=\"wp-image-16247\" srcset=\"https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/04\/image-26.png 744w, https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/04\/image-26-300x184.png 300w\" sizes=\"(max-width: 744px) 100vw, 744px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Download the <a href=\"https:\/\/adfshelp.microsoft.com\/MetadataExplorer\/GetFederationMetadata\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Federation Metadata XML<\/a> file and provide it to the team responsible for configuration of the AAP SAML&nbsp;<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"746\" height=\"371\" src=\"https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/04\/image-27.png\" alt=\"\" class=\"wp-image-16249\" srcset=\"https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/04\/image-27.png 746w, https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/04\/image-27-300x149.png 300w\" sizes=\"(max-width: 746px) 100vw, 746px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Ansible Automation Platform Configuration<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Navigate to AAP and log in as admin&nbsp;<\/li>\n\n\n\n<li>Navigate to Settings \u2192 SAML&nbsp;&nbsp;<\/li>\n\n\n\n<li>Scroll the page to the bottom and click Edit&nbsp;<\/li>\n\n\n\n<li>Scroll the page to the top and specify SAML Service Provider Entity ID:<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"996\" height=\"206\" src=\"https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/04\/image-28.png\" alt=\"\" class=\"wp-image-16251\" srcset=\"https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/04\/image-28.png 996w, https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/04\/image-28-300x62.png 300w, https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/04\/image-28-768x159.png 768w\" sizes=\"(max-width: 996px) 100vw, 996px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Specify the SAML Service Provider Public Certificate. The Public Certificate has to be certificate generated by CA and cannot be self-signed certificate. In case you are using the AAP in cluster configuration, that would be the certificate that was generated for the Load Balancer FQDN. If you have only one node in the cluster, provide the certificate that has been already loaded on AAP. It can be found in \/etc\/tower\/tower.cert&nbsp;<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"745\" height=\"158\" src=\"https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/04\/image-29.png\" alt=\"\" class=\"wp-image-16253\" srcset=\"https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/04\/image-29.png 745w, https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/04\/image-29-300x64.png 300w\" sizes=\"(max-width: 745px) 100vw, 745px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Specify the SAML Service Provider Private Key. Similarly, to the above, it is the key that has been generated with the certificate for the Load Balancer (in case cluster configuration) and for the stand-alone configuration &#8211; the key can be found in \/etc\/tower\/tower.key&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"745\" height=\"156\" src=\"https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/04\/image-30.png\" alt=\"\" class=\"wp-image-16255\" srcset=\"https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/04\/image-30.png 745w, https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/04\/image-30-300x63.png 300w\" sizes=\"(max-width: 745px) 100vw, 745px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Specify SAML Service Provider Organisation Info. For example:&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>{ \n\n  \"en-US\": { \n\n    \"displayname\": \"Your Company\", \n\n    \"url\": \"https:\/\/aap01.example.net\", \n\n    \"name\": \"Your Company\" \n\n  } \n\n} <\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Specify SAML Service Provider Technical Contact. For example:<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>{ \n\n  \"emailAddress\": \"Your Email\", \n\n  \"givenName\": \"Your Name\" \n\n} <\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Specify SAML Service Provider Support Contact. For example:&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>{ \n\n  \"emailAddress\": \"Your Email\", \n\n  \"givenName\": \"Your Name\" \n\n} <\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Define SAML Enabled Identity Providers. All the data is available in the Federation Metadata XML file the Azure team should provide&nbsp;<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>{ \n\n  \"azure\": { \n\n    \"attr_first_name\": \"http:\/\/schemas.xmlsoap.org\/ws\/2005\/05\/identity\/claims\/givenname\", \n\n    \"attr_display_name\": \"http:\/\/schemas.xmlsoap.org\/ws\/2005\/05\/identity\/claims\/displayname\", \n\n    \"attr_email\": \"http:\/\/schemas.xmlsoap.org\/ws\/2005\/05\/identity\/claims\/emailaddress\", \n\n    \"attr_last_name\": \"http:\/\/schemas.xmlsoap.org\/ws\/2005\/05\/identity\/claims\/surname\", \n\n    \"entity_id\": \"https:\/\/sts.windows.net\/c28b2d80-129e-4693-88bd-5f43e59072f9\/\", \n\n    \"url\": \"https:\/\/login.microsoftonline.com\/c28b2d80-129e-4693-88bd-5f43e59072f9\/saml2\", \n\n    \"x509cert\": \"MIIC8DCCAdigAwIBAgIQcGRe2t0tzqlJvySsQ2r6wjANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMzAyMjQwMjU3MTlaFw0yNjAyMjQwMjU3MTlaMDQxMjAwBgAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgb55FI2tt3UDUKR8yx3vqNmTRl9h+N3ekDzi9TWU7nMTRMzDjRQTJzDOjLXHfwYAnKxG454IHg9gB1P9Ng9ozAoxDpIQFrGSiUTSOUHwMFfAy6+p+Zz08oS2uQMa7qREwqqqb\/IOqOkCrHt3aQP+ELWchwsLoML0Y1K\/gR7gmNLLJM+1NJmJTHPnnF6tFeU8eyT+qbmbE+OI7xaQrkzvwZ7itsqgebMu94N6RYRJNm+3UT6D8FwRYe3vkmwGK9mfUejMd7cDHXx+2Uupg\/A8zEFGHkQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCRfwe1QtCXqacR6oWendMSWd7JYydhIEEP1E2FOqe39xM90A4cYBPg8Ri+dLV+hPwC9D4tE7orziP8acLw5Mh5l7UKwYFDH3IOAPKUjRQqhCd4mGwvsaboCyaUazh4mhdhZbZd60wySAx\/bTMwbY1wWV0g6OF4+PaZBUqu+3gZkOKqy3003FPTGgl6pHIU77V6ad9jvhNFzxUznpRLdwY+eXEL3rvvWwKIMJ3t9oZsd8lw3F77NwQJZrSdxWbYrMfaoZR39H2KHBut6pSYJKbJ\/JIuRtcf+UbC6pYW9jwHGQYb6VXPcXzrxox6lYh24Z83oPyRI2R9P8NMMI7w\", \n\n    \"attr_user_permanent_id\": \"name_id\", \n\n    \"attr_username\": \"http:\/\/schemas.microsoft.com\/identity\/claims\/displayname\" \n\n  } \n\n} <\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Specify the SAML Organization Map. For example:&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>{ \n\n  \"Default\": { \n\n    \"users\": true \n\n  }, \n\n  \"Cloud\": { \n\n    \"users\": true, \n\n    \"admins\": &#91; \n\n      \"user@example.net\" \n\n    ] \n\n  } \n\n} <\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Specify SAML Organization Attribute Mapping&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>{ \n\n  \"saml_attr\": \"organization\", \n\n  \"remove\": true \n\n} <\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Specify SAML Team Attribute Mapping&nbsp;<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>{ \n\n  \"team_org_map\": &#91; \n\n    { \n\n      \"team_alias\": \"Engineering\", \n\n      \"organization\": \"Cloud\", \n\n      \"team\": \"4116cd-d9b0-40f3-b9c2-bda5b2fede\" \n\n    } \n\n  ], \n\n  \"saml_attr\": \"http:\/\/schemas.microsoft.com\/ws\/2008\/06\/identity\/claims\/groups\", \n\n  \"remove\": true \n\n} <\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Click Save&nbsp;<\/li>\n\n\n\n<li>Log in to one of the AAP Controller nodes and execute the following command to download SAML Service Provider Metadata:&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>wget https:\/\/aap01.example.net\/sso\/metadata\/saml\/ <\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Configuration for System Administrators<\/h2>\n\n\n\n<p>The following configuration is required to enable users of a specific AD Group to be set as System Administrators:&nbsp;<\/p>\n\n\n\n<p>In SAML Settings, add the following configuration in SAML User Flags Attribute Mapping field. Where the \u2018is_superuser_value\u2019 is set to an Azure AD Group ID. In this situation, we have the ID of the following AD Group: team-cloud-superadmin. The \u2018is_superuser_attr\u2019 is set to the SAML claim which was configured before (please the configuration above).<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>{ \n\n  \"is_superuser_attr\": \"http:\/\/schemas.microsoft.com\/ws\/2008\/06\/identity\/claims\/groups\", \n\n  \"is_superuser_value\": &#91; \n\n    \"c3338f53-5be5-4d6c-9baa-b2b0c81282bc\" \n\n  ] \n\n} <\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Azure SAML configuration &#8211; Finishing touches<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Navigate to Azure portal and find the application created earlier (Ansible Automation Platform (AAP) SAML SSO)<\/li>\n\n\n\n<li>Click &#8211; Upload metadata file&nbsp;<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"654\" height=\"85\" src=\"https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/04\/image-31.png\" alt=\"\" class=\"wp-image-16257\" srcset=\"https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/04\/image-31.png 654w, https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/04\/image-31-300x39.png 300w\" sizes=\"(max-width: 654px) 100vw, 654px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Select the file and click Add. The configuration file will populate all the relevant fields necessary to finalise configuration of SAML&nbsp;<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"747\" height=\"196\" src=\"https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/04\/image-32.png\" alt=\"\" class=\"wp-image-16259\" srcset=\"https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/04\/image-32.png 747w, https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/04\/image-32-300x79.png 300w\" sizes=\"(max-width: 747px) 100vw, 747px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Testing and aligning the mapping as per your requirements can now be completed&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion<\/h2>\n\n\n\n<p>To conclude, by utilizing the SAML protocol, Red Hat Ansible Automation Platform can be set up to allow Microsoft Azure Active Directory to transfer authorization credentials to determine the organization and team of the user logging in. By following the procedure outlined in this guide, you can enable SAML authentication on AAP and streamline the process for user management. Get started today by following the step-by-step instructions and experience the benefits of SAML authentication for your organization, <a href=\"https:\/\/www.insentragroup.com\/us\/contact\/\" target=\"_blank\" rel=\"noreferrer noopener\">contact us<\/a> today.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Related Articles<\/h2>\n\n\n\n<p><a href=\"https:\/\/www.insentragroup.com\/us\/insights\/geek-speak\/modern-workplace\/how-to-configure-ansible-automation-saml-sso-with-red-hat-sso\/\" target=\"_blank\" rel=\"noreferrer noopener\">How to configure Ansible Automation SAML SSO with Red Hat SSO<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/www.insentragroup.com\/us\/insights\/geek-speak\/modern-workplace\/how-to-guide-on-ansible-tower-backup-and-restore-on-azure\/\" target=\"_blank\" rel=\"noreferrer noopener\">How-to guide on Ansible Tower Backup and Restore on Azure<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/www.insentragroup.com\/us\/insights\/geek-speak\/professional-services\/ansible-tower-in-google-cloud-platform\/\" target=\"_blank\" rel=\"noreferrer noopener\">Ansible Tower in Google Cloud Platform<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/www.insentragroup.com\/us\/insights\/geek-speak\/modern-workplace\/protecting-the-automation-engine-backup-for-ansible-awx-project\/\" target=\"_blank\" rel=\"noreferrer noopener\">Protecting the automation engine \u2013 Backup for Ansible AWX Project<\/a><\/p>\n\n\n\n<style>\nbody .wp-block-code>code {\n    font-family: Menlo,Consolas,monaco,monospace;\n    color: #000;\n    padding: 30px 40px;\n    border: none;\n    border-radius: 4px;\n    background: #ddd;\n}\nbody .blog-body ol li::marker {\n    font-weight: 600;\n}\n<\/style>\n","protected":false},"excerpt":{"rendered":"<p>Learn how to enable attribute-based access control with Azure SAML and Ansible Automation Platform. Secure your infrastructure with ease.<\/p>\n","protected":false},"author":67,"featured_media":16261,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[19],"tags":[],"class_list":["post-16224","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-modern-workplace","entry"],"_links":{"self":[{"href":"https:\/\/www.insentragroup.com\/us\/wp-json\/wp\/v2\/posts\/16224","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.insentragroup.com\/us\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.insentragroup.com\/us\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.insentragroup.com\/us\/wp-json\/wp\/v2\/users\/67"}],"replies":[{"embeddable":true,"href":"https:\/\/www.insentragroup.com\/us\/wp-json\/wp\/v2\/comments?post=16224"}],"version-history":[{"count":19,"href":"https:\/\/www.insentragroup.com\/us\/wp-json\/wp\/v2\/posts\/16224\/revisions"}],"predecessor-version":[{"id":16263,"href":"https:\/\/www.insentragroup.com\/us\/wp-json\/wp\/v2\/posts\/16224\/revisions\/16263"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.insentragroup.com\/us\/wp-json\/wp\/v2\/media\/16261"}],"wp:attachment":[{"href":"https:\/\/www.insentragroup.com\/us\/wp-json\/wp\/v2\/media?parent=16224"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.insentragroup.com\/us\/wp-json\/wp\/v2\/categories?post=16224"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.insentragroup.com\/us\/wp-json\/wp\/v2\/tags?post=16224"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}