Chapter 4. Adding an identity broker to Ansible Automation Platform Central Authentication
Ansible Automation Platform Central Authentication supports both social and protocol-based providers. You can add an identity broker to central authentication to enable social authentication for your realm, allowing users to log in using an existing social network account, such as Google, Facebook, GitHub etc.
For a list of supported social networks and for more information to enable them, please see this section.
Protocol-based providers are those that rely on a specific protocol in order to authenticate and authorize users. They allow you to connect to any identity provider compliant with a specific protocol. Ansible Automation Platform Central Authentication provides support for SAML v2.0 and OpenID Connect v1.0 protocols.
Procedure
- Log in to Ansible Automation Platform Central Authenticationas an admin user.
- Under the Configure section on the side navigation bar, click .
- Using the dropdown menu labeled Add provider, select your identity provider to proceed to the identity provider configuration page.
The following table lists the available options for your identity provider configuration:
Configuration Option | Description |
Alias |
The alias is a unique identifier for an identity provider. It is used to reference an identity provider internally. Some protocols such as |
Enabled | Turns the provider on/off. |
Hide on Login Page |
If enabled, this provider will not be shown as a login option on the login page. Clients can still request to use this provider by using the |
Account Linking Only | If enabled, this provider cannot be used to login users and will not be shown as an option on the login page. Existing accounts can still be linked with this provider. |
Store Tokens | Whether or not to store the token received from the identity provider. |
Stored Tokens Readable | Whether or not users are allowed to retrieve the stored identity provider token. This also applies to the broker client-level role read token. |
Trust Email | Whether an email address provided by the identity provider will be trusted. If the realm requires email validation, users that log in from this IDP will not have to go through the email verification process. |
GUI Order | The order number that sorts how the available IDPs are listed on the login page. |
First Login Flow | Select an authentication flow that will be triggered for users that log in to central authentication through this IDP for the first time. |
Post Login Flow | Select an authentication flow that is triggered after the user finishes logging in with the external identity provider. |
4.1. Managing group permissions with Ansible Automation Platform Central Authentication
You can manage user access on the Ansible Automation Platform by assigning specific permissions to user groups. As users log in to the Ansible Automation Platform for the first time, their groups will appear in the user access page in automation hub, allowing you to assign user access and permissions to each group.
4.1.1. Assigning permissions to Groups
You can assign permissions to groups in automation hubthat enable users to access specific features in the system.
Prerequisites
You are signed in as a hubadmin
user.
Procedure
- Log in to your local automation hub.
- Navigate to Groups.
- Click on a group name.
- Click Edit.
- Click in the field for the permission type and select permissions that appear in the list.
- Click Save when finished assigning permissions.
The group can now access features in automation hub associated with their assigned permissions.
4.1.2. Automation Hub permissions
Permissions provide a defined set of actions each group performs on a given object. Determine the required level of access for your groups based on the following permissions:
Object | Permission | Description |
---|---|---|
namespace | Add namespace Upload to namespace Change namespace Delete namespace | Groups with these permissions can create, upload collections, or delete a namespace. |
collections | Modify Ansible repo content Delete collections | Groups with this permission can move content between repositories using the Approval feature, certify or reject features to move content from the staging to published or rejected repositories, abd delete collections. |
users | View user Delete user Add user Change user | Groups with these permissions can manage user configuration and access in automation hub. |
groups | View group Delete group Add group Change group | Groups with these permissions can manage group configuration and access in automation hub. |
collection remotes | Change collection remote View collection remote |
Groups with these permissions can configure remote repository by navigating to |
containers | Change container namespace permissions Change containers Change image tags Create new containers Push to existing containers Delete container repository | Groups with these permissions can manage container repositories in automation hub. |
remote registries | Add remote registry Change remote registry Delete remote registry | Groups with these permissions can add, change, or delete remote registries added to automation hub. |
task management | Change task Delete task View all tasks | Groups with these permissions can manage tasks added to Task Management in automation hub. |