Search

Chapter 4. Adding an identity broker to Ansible Automation Platform Central Authentication

download PDF

Ansible Automation Platform Central Authentication supports both social and protocol-based providers. You can add an identity broker to central authentication to enable social authentication for your realm, allowing users to log in using an existing social network account, such as Google, Facebook, GitHub etc.

Note

For a list of supported social networks and for more information to enable them, please see this section.

Protocol-based providers are those that rely on a specific protocol in order to authenticate and authorize users. They allow you to connect to any identity provider compliant with a specific protocol. Ansible Automation Platform Central Authentication provides support for SAML v2.0 and OpenID Connect v1.0 protocols.

Procedure

  1. Log in to Ansible Automation Platform Central Authenticationas an admin user.
  2. Under the Configure section on the side navigation bar, click Identity Providers.
  3. From the Add provider list, select your identity provider to proceed to the identity provider configuration page.

The following table lists the available options for your identity provider configuration:

Table 4.1. Identity Broker Configuration Options

Configuration Option

Description

Alias

The alias is a unique identifier for an identity provider. It is used to reference an identity provider internally. Some protocols such as OpenID Connect require a redirect URI or callback url in order to communicate with an identity provider. In this case, the alias is used to build the redirect URL.

Enabled

Turns the provider on/off.

Hide on Login Page

If enabled, this provider will not be shown as a login option on the login page. Clients can still request to use this provider by using the kc_idp_hint parameter in the URL they use to request a login.

Account Linking Only

If enabled, this provider cannot be used to login users and will not be shown as an option on the login page. Existing accounts can still be linked with this provider.

Store Tokens

Whether or not to store the token received from the identity provider.

Stored Tokens Readable

Whether or not users are allowed to retrieve the stored identity provider token. This also applies to the broker client-level role read token.

Trust Email

Whether an email address provided by the identity provider will be trusted. If the realm requires email validation, users that log in from this IDP will not have to go through the email verification process.

GUI Order

The order number that sorts how the available IDPs are listed on the login page.

First Login Flow

Select an authentication flow that will be triggered for users that log in to central authentication through this IDP for the first time.

Post Login Flow

Select an authentication flow that is triggered after the user finishes logging in with the external identity provider.

4.1. Managing group permissions with Ansible Automation Platform Central Authentication

You can manage user access on the Ansible Automation Platform by grouping specific permissions into roles, and then assigning those roles to groups. As you log in to the Ansible Automation Platform for the first time, Users, Groups, and Roles appear in the user access page in automation hub, then you can assign user access and roles to each group.

Automation hub includes a set of managed roles that are compatible with use cases you may encounter. You can create your own set of managed roles or use the predefined roles located in the Roles section of the User Access page.

4.1.1. Grouping permissions into Roles

You can group permissions into roles with specific user access to features in the system.

Prerequisites

  • You are signed in as a hubadmin user.

Procedure

  1. Log in to your private automation hub.
  2. Navigate to the User Access drop-down menu.
  3. Click Roles.
  4. Click Add roles.
  5. Enter role name in the Name field.
  6. Enter role description in the Description field.
  7. Click the drop-down menu next to each Permissions type and select the appropriate permissions for the role.
  8. Click Save.

You have created a new role with specific permissions. You can now assign this role to groups.

4.1.1.1. Assigning roles to groups

You can assign roles to groups, giving users access to specific features in the system, from both the Groups menu and the Namespaces menu. Roles assigned to a group from the Groups menu have a global scope. For example, if a user is assigned a namespace owner role, that permission applies to all namespaces. However, roles assigned to a group from the Namespaces menu will only give a user access to a specific instance of an object.

Prerequisites

  • You are signed in as a hubadmin user.

Procedure

Assigning roles from the Groups menu.

  1. Log in to your private automation hub.
  2. From the navigation panel, select User Access Groups.
  3. Select a group from the list of groups displayed.
  4. Click Add roles.
  5. Click the checkbox next to the role that you want to add.
  6. Click Next to preview the role that will be applied to the group.
  7. Click Add to apply the selected role to the group.
Note

Click Back to return to the roles menu, or click Cancel to return to the previous page.

Procedure

Assigning roles from the Namespaces menu.

  1. Log in to your private automation hub.
  2. From the navigation panel, select Collections Namespaces.
  3. Click the My Namespaces tab, and select a namespace.
  4. Click the Access tab to edit.

Users can now access features in automation hub associated with their assigned permissions.

4.1.2. Automation hub permissions

Permissions provide a defined set of actions each group can perform on a given object. Determine the required level of access for your groups based on the permissions described in this table.

Table 4.2. Permissions Reference Table
ObjectPermissionDescription

collection namespaces

Add namespace

Upload to namespace

Change namespace

Delete namespace

Groups with these permissions can create, upload collections, and delete a namespace.

collections

Modify Ansible repo content

Delete collections

Groups with this permission can perform these actions:

Move content between repositories by using the Approval feature.

Certify or reject features to move content from the staging to published or rejected repositories.

Delete collections.

users

View user

Delete user

Add user

Change user

Groups with these permissions can manage user configuration and access in private automation hub.

groups

View group

Delete group

Add group

Change group

Groups with these permissions can manage group configuration and access in private automation hub.

collection remotes

Change collection remote

View collection remote

Groups with these permissions can configure a remote repository by navigating to Collection Repositories.

containers

Change container namespace permissions

Change containers

Change image tags

Create new containers

Push to existing containers

Delete container repository

Groups with these permissions can manage container repositories in private automation hub.

remote registries

Add remote registry

Change remote registry

Delete remote registry

Groups with these permissions can add, change, or delete remote registries added to private automation hub.

task management

Change task

Delete task

View all tasks

Groups with these permissions can manage tasks added to Task Management in private automation hub.

Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.