Tip

Check out the repository on GitHub

Check out the demo at: demo.webui.ansibleguy.net | Login: User demo, Password Ansible1337

Warning

DISCLAIMER: This is an unofficial community project! Do not confuse it with the vanilla Ansible product!

Warning

This project still in early development! DO NOT USE IN PRODUCTION!

Authentication

In case your primary authentication method is not working for some reason - you can enter the application with a local user at: /a/login/fallback

SAML SSO

Tested config examples: Google Workspace

This app is integrating the grafana/django-saml2-auth module (indirect pysaml2).

If you have troubles with getting SAML to work - check out Usage - Troubleshooting - SAML


Setup

  1. Add the SAML config-block to your config-file. See: Usage - Config - File

For options see: Module settings

Example:

HOSTNAMES: '<YOUR-DOMAIN>'
AUTH: 'saml'
SAML:
    METADATA_AUTO_CONF_URL: 'https://<YOUR-IDP>/metadata'
    # METADATA_LOCAL_FILE_PATH: '/etc/ansible-webui/saml-metadata.txt'

    # replace with your scheme, domain and port!
    ASSERTION_URL: 'http://localhost:8000'
    ENTITY_ID: 'http://localhost:8000/a/saml/acs/'
    DEFAULT_NEXT_URL: 'http://localhost:8000/'

    CREATE_USER: true
    NEW_USER_PROFILE:
        USER_GROUPS: []  # The default group name when a new user logs in
        ACTIVE_STATUS: true
        STAFF_STATUS: true  # allow user to view 'System - Admin' page
        SUPERUSER_STATUS: false  # full system admin privileges

    ATTRIBUTES_MAP:  # email or username and token are required!
        # mapping: django => IDP
        email: 'email'
        username: 'email'
        token: 'id'
        # optional:
        first_name: 'firstName'
        last_name: 'lastName'
        groups: 'Groups'  # Optional

    DEBUG: false  # DO NOT PERMANENTLY ENABLE!

    GROUPS_MAP:  # map IDP groups to django groups
        'IDP GROUP': 'AW Job Managers'

    # NAME_ID_FORMAT: 'user.email'
    # KEY_FILE: '/etc/ansible-webui/saml.key'
    # CERT_FILE: '/etc/ansible-webui/saml.crt'
  1. SSO identity provider settings:

ACS URL: http://localhost:8000/a/saml/acs/

Entity ID/Audience URL: http://localhost:8000/a/saml/acs/

Note: Replace http://localhost:8000 with your scheme, domain and port

  1. For non-Docker setups: Install the xmlsec package that is used internally (see: details)

You should now be able to see [INFO] [main] Using Auth-Mode: saml logged on startup.


Docker

Example:

# save all needed SAML files to /etc/ansible-webui/ on your host system
sudo docker run -d --name ansible-webui --publish 127.0.0.1:8000:8000 --env AW_CONFIG=/etc/aw/config.yml --volume /etc/ansible-webui/:/etc/aw/ ansible0guy/webui:latest