Chapter 4. Adding an identity broker to Ansible Automation Platform Central Authentication
Ansible Automation Platform Central Authentication supports both social and protocol-based providers. You can add an identity broker to central authentication to enable social authentication for your realm, allowing users to log in using an existing social network account, such as Google, Facebook, GitHub etc.
For a list of supported social networks and for more information to enable them, please see this section.
Protocol-based providers are those that rely on a specific protocol in order to authenticate and authorize users. They allow you to connect to any identity provider compliant with a specific protocol. Ansible Automation Platform Central Authentication provides support for SAML v2.0 and OpenID Connect v1.0 protocols.
Procedure
- Log in to Ansible Automation Platform Central Authenticationas an admin user.
- Under the Configure section on the side navigation bar, click .
- From the Add provider list, select your identity provider to proceed to the identity provider configuration page.
The following table lists the available options for your identity provider configuration:
Configuration Option | Description |
Alias |
The alias is a unique identifier for an identity provider. It is used to reference an identity provider internally. Some protocols such as |
Enabled | Turns the provider on/off. |
Hide on Login Page |
If enabled, this provider will not be shown as a login option on the login page. Clients can still request to use this provider by using the |
Account Linking Only | If enabled, this provider cannot be used to login users and will not be shown as an option on the login page. Existing accounts can still be linked with this provider. |
Store Tokens | Whether or not to store the token received from the identity provider. |
Stored Tokens Readable | Whether or not users are allowed to retrieve the stored identity provider token. This also applies to the broker client-level role read token. |
Trust Email | Whether an email address provided by the identity provider will be trusted. If the realm requires email validation, users that log in from this IDP will not have to go through the email verification process. |
GUI Order | The order number that sorts how the available IDPs are listed on the login page. |
First Login Flow | Select an authentication flow that will be triggered for users that log in to central authentication through this IDP for the first time. |
Post Login Flow | Select an authentication flow that is triggered after the user finishes logging in with the external identity provider. |
4.1. Managing group permissions with Ansible Automation Platform Central Authentication
You can manage user access on the Ansible Automation Platform by grouping specific permissions into roles, and then assigning those roles to groups. As you log in to the Ansible Automation Platform for the first time, Users, Groups, and Roles appear in the user access page in automation hub, then you can assign user access and roles to each group.
Automation hub includes a set of managed roles that are compatible with use cases you may encounter. You can create your own set of managed roles or use the predefined roles located in the Roles section of the User Access page.
4.1.1. Grouping permissions into Roles
You can group permissions into roles with specific user access to features in the system.
Prerequisites
-
You are signed in as a
hubadmin
user.
Procedure
- Log in to your private automation hub.
- Navigate to the User Access drop-down menu.
- Click .
- Click .
- Enter role name in the Name field.
- Enter role description in the Description field.
- Click the drop-down menu next to each Permissions type and select the appropriate permissions for the role.
- Click .
You have created a new role with specific permissions. You can now assign this role to groups.
4.1.1.1. Assigning roles to groups
You can assign roles to groups, giving users access to specific features in the system, from both the Groups menu and the Namespaces menu. Roles assigned to a group from the Groups menu have a global scope. For example, if a user is assigned a namespace owner role, that permission applies to all namespaces. However, roles assigned to a group from the Namespaces menu will only give a user access to a specific instance of an object.
Prerequisites
-
You are signed in as a
hubadmin
user.
Procedure
Assigning roles from the Groups menu.
- Log in to your private automation hub.
-
From the navigation panel, select
. - Select a group from the list of groups displayed.
- Click .
- Click the checkbox next to the role that you want to add.
- Click to preview the role that will be applied to the group.
- Click to apply the selected role to the group.
Click
to return to the roles menu, or click to return to the previous page.Procedure
Assigning roles from the Namespaces menu.
- Log in to your private automation hub.
-
From the navigation panel, select
. - Click the My Namespaces tab, and select a namespace.
- Click the Access tab to edit.
Users can now access features in automation hub associated with their assigned permissions.
4.1.2. Automation hub permissions
Permissions provide a defined set of actions each group can perform on a given object. Determine the required level of access for your groups based on the permissions described in this table.
Object | Permission | Description |
---|---|---|
collection namespaces | Add namespace Upload to namespace Change namespace Delete namespace | Groups with these permissions can create, upload collections, and delete a namespace. |
collections | Modify Ansible repo content Delete collections | Groups with this permission can perform these actions: Move content between repositories by using the Approval feature. Certify or reject features to move content from the staging to published or rejected repositories. Delete collections. |
users | View user Delete user Add user Change user | Groups with these permissions can manage user configuration and access in private automation hub. |
groups | View group Delete group Add group Change group | Groups with these permissions can manage group configuration and access in private automation hub. |
collection remotes | Change collection remote View collection remote |
Groups with these permissions can configure a remote repository by navigating to |
containers | Change container namespace permissions Change containers Change image tags Create new containers Push to existing containers Delete container repository | Groups with these permissions can manage container repositories in private automation hub. |
remote registries | Add remote registry Change remote registry Delete remote registry | Groups with these permissions can add, change, or delete remote registries added to private automation hub. |
task management | Change task Delete task View all tasks | Groups with these permissions can manage tasks added to Task Management in private automation hub. |