Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Access management and authentication

Red Hat Ansible Automation Platform 2.6

Configure role based access control, authenticators and authenticator maps in Ansible Automation Platform

Red Hat Customer Content Services

Abstract

This guide provides requirements, options, and recommendations for controlling access to Red Hat Ansible Automation Platform resources.

Providing feedback on Red Hat documentation
Copy link

If you have a suggestion to improve this documentation, or find an error, you can contact technical support at https://access.redhat.com to open a request.

Ansible Automation Platform features a platform interface where you can set up centralized authentication, configure access management, and configure global and system level settings from a single location.

The first time you log in to the Ansible Automation Platform, you must enter your subscription information to activate the platform. For more information about licensing and subscriptions, see Managing Ansible Automation Platform licensing, updates and support in the RPM installation, Containerized installation, or Installing on OpenShift Container Platform guide.

A system administrator can configure access, permissions and system settings through the following tasks:

Using the authentication settings in Ansible Automation Platform, you can set up a simplified login through several authentication methods, such as LDAP and SAML. Depending on the authentication method you select, you must enter different information to complete the configuration. Be sure to include all the information required for your configuration needs.

Important
  • During an upgrade to Ansible Automation Platform 2.6, platform gateway uses a new central authentication service.
  • After the upgrade, local users that used to exist in automation controller can be automatically converted into local platform gateway users. Other types of authentication from automation controller, such as LDAP, SAML, or OIDC, are migrated to platform gateway but platform gateway might need additional configuration before those users are ready for use.

Local user passwords are not automatically synchronized between automation controller and platform gateway after an upgrade. Platform gateway uses the following process to authenticate a local user for the first time:

  • Platform gateway attempts to authenticate the user with the platform gateway password.
  • If the attempt fails, platform gateway authenticates the user with the automation controller password.
  • On successful authentication, platform gateway updates the user’s password in its database.
  • The user is authenticated directly by platform gateway on subsequent logins.

For more information, see RPM upgrade and migration.

2.1. Prerequisites
Copy link

  • A running installation of Ansible Automation Platform 2.6
  • A running instance of your authentication source
  • Administrator rights to the Ansible Automation Platform
  • Any connection information needed to connect Ansible Automation Platform 2.6 to your source (see individual authentication types for details).

2.2. Pluggable authentication
Copy link

Authentication is the process of verifying a user’s identity to the Ansible Automation Platform, that is, to establish that a user is who they say they are. This can be done in several ways and is traditionally associated with a username and password. Configuring external authentication sources such as LDAP, SAML, and OIDC enables a Single Sign-On (SSO) experience. SSO allows users to access platform gateway by using the same credentials from other enterprise services.

Note

When you log out of Ansible Automation Platform, only your session with the platform ends. Your session with the external Single Sign-On (SSO) provider stays active. To switch to a different account with the same provider, you must log out of the SSO provider’s website directly. This ensures that you can successfully sign in with a new account.

Ansible Automation Platform 2.6 uses a pluggable authentication system with a configuration wizard that provides a common, simplified method of configuring different types of authenticators such as LDAP and SAML. The pluggable system also allows you to configure multiple authenticators of the same type.

In the pluggable system we have a couple of concepts:

Authenticator Plugin
A plugin allows Ansible Automation Platform to connect to a source system, such as, LDAP, or SAML. Ansible Automation Platform includes a variety of authenticator plugins. Authenticator plugins are similar to Ansible collections, in that all of the required code is in a package and can be versioned independently if needed.
Authenticator
An authenticator is an instantiation of an authenticator plugin and allows users from the specified source to log in. For example, the LDAP authenticator plugin defines a required LDAP server setting. When you instantiate an authenticator from the LDAP authentication plugin, you must provide the authenticator the LDAP server URL it needs to connect to.
Authenticator Map
Authenticator maps are applied to authenticators and tell Ansible Automation Platform what permissions to give a user logging into the system.

2.3. Creating an authentication method
Copy link

Creating an authenticator involves the following procedures:

  • Selecting an authentication type, where you select the type of authenticator plugin you want to configure, including the authentication details for the authentication type selected.

  • Mapping, where you define mapping rule types and triggers to control access to the system, and Mapping order, where you can define the mapping precedence.

    Note

    Mapping order is only available if you have defined one or more authenticator maps.

2.3.1. Selecting an authentication type
Copy link

On the Authentication Methods page you can select the type of authenticator plugin you want to configure.

Procedure

  1. From the navigation panel, select Access ManagementAuthentication Methods.
  2. Click Create authentication.

  3. Enter a unique Name for the authenticator. The name is required, must be unique across all authenticators, and must not be longer than 512 characters. This becomes the unique identifier generated for the authenticator.

    Note

    Changing the name does not update the unique identifier of the authenticator. For example, if you create an authenticator with the name My Authenticator and later change it to My LDAP Authenticator you will not be able to create another authenticator with the name My Authenticator because the unique identifier is still in use.

  4. Select the authenticator type from the Authentication type list. See Configuring an authentication type for the complete list of authentication plugins available.

  5. The Authentication details section automatically updates to show the fields relevant to the selected authentication type. See the relevant sections in Configuring an authentication type for the required details.

    For all authentication types you can enter a Name, Additional Authenticator Fields and Create Objects.

  6. Enable or disable Enabled to specify if the authenticator should be enabled or disabled. If enabled, users are able to login from the authenticator. If disabled, users will not be allowed to login from the authenticator.

  7. Enable or disable Create Object to specify whether the authenticator should create teams and organizations in the system when a user logs in.

    Enabled
    Teams and organizations defined in the authenticator maps are created and the users added to them.
    Disabled
    Organizations and teams defined in the authenticator maps will not be created automatically in the system. However, if they already exist, for example, created by a superuser, users who trigger the maps are granted access to them.

  8. Enable or disable Remove Users. If enabled, any access previously granted to a user is removed when they authenticate from this source. If disabled, permissions are only added or removed from the user based on the results of this authenticator’s authenticator mappings.

    For example, assume a user has been granted the is_superuser permission in the system. And that user will log in to an authenticator whose maps will not formulate an opinion as to whether or not the user should be a superuser. If Remove Users is enabled, the is_superuser permission will be removed from the user, the authenticator maps will not have an opinion as to whether it should be there or not so, after login the user will not have the is_superuser permission.

    If Remove Users is disabled, the is_superuser permission will not be removed from the user. The authenticator maps will not have an opinion as to whether it should be there or not so after login the user will have the is_superuser permission.

  9. Click Create Authentication Method and proceed to Define authentication mapping rules and triggers.

Authentication map types can be used with any type of authenticator. Each map has a trigger that defines when the map should be evaluated as true.

Procedure

  1. From the navigation panel, select Access ManagementAuthentication Methods.
  2. In the list view, select the authenticator name displayed in the Name column.
  3. Select the Mapping tab from the Details page of your authenticator.
  4. Click Create mapping.

  5. Select a map type from the Authentication mapping list. See Authenticator map types for detailed descriptions of the different map types. Choices include:

  6. Enter a unique rule Name to identify the rule.

  7. Select a Trigger from the list. See Authenticator map triggers for more details. Choices include:

    • Always
    • Never
    • Group
    • Attribute
  8. Click Create mapping.
  9. Repeat this procedure to create additional mapping rules and triggers for the authenticator.

  10. Proceed to Adjust the Mapping order to optionally reorder the mappings for your authenticator.

    Note

    The mapping order setting is only available if there is more than one authenticator map defined.

2.3.3. Adjusting the Mapping order
Copy link

If you have one or more authenticator maps defined, you can manage the order of the maps. Authenticator maps are run in order when logging in lowest order to highest. If one authenticator map determines a user should be a member of a team but a subsequent map determines the user should not be a member of the same team the ruling form the second map will take precedence over the result of the first map. Authenticator maps with the same order are executed in an undefined order.

For example, if the first authenticator map is of type is_superuser and the trigger is set to never, any user logging into the system would never be granted the is_superuser flag.

And, if the second map is of type is_superuser and the trigger is based on the user having a specific group, any user logging in would initially be denied the is_superuser permission. However, any user with the specified group would subsequently be granted the is_superuser permission by the second rule.

The order of rules is important beyond whether you want to process organizations, teams or roles first. They can also be used to refine access and careful consideration is needed to avoid login issues.

For example:

  • Authenticator map A denies all users access to the system
  • Authenticator map B allows the user john access to the system

When the mapping order is set to A, B; the first map denies access for all users, including john. The second map subsequently allows john access to the system and the result is that john is granted access and is able to log in to the platform.

However, when the mapping order is changed to B, A; the first map allows john access to the system. The second map subsequently denies all users access to the system (including john) and the result is that john is denied access and is unable to log in to the platform.

Procedure

  1. From the navigation panel, select Access ManagementAuthentication Methods.
  2. In the list view, select the authenticator name displayed in the Name column.
  3. Select the Mapping tab from the Details page of your authenticator.
  4. Click Manage mappings.

  5. Adjust the mapping order by dragging and dropping the mappings up or down in the list using the icon.

    Note

    The mapping precedence is determined by the order in which the mappings are listed.

  6. After your authenticator maps are in the correct order, click Apply.

As a platform administrator, you can enable or disable authenticators. However, disabling your local authenticator can have significant impacts and should only be done under specific circumstances. Before you disable your local authenticator, you must consider the following:

Local account inaccessibility
Disabling the local authenticator prevents all local accounts, including the default admin account from logging in.
Potential inaccessibility
Disabling the local authenticator without having at least one other configured authenticator can render the Ansible Automation Platform environment completely inaccessible.
Dependency on enterprise authentication provider
If the local authenticator is disabled and an issue occurs with the configured enterprise authentication provider, the platform will become inaccessible until the enterprise authentication provider issue is resolved.

Prerequisites

  • You have at least one other authenticator method configured.
  • You have at least one administrator account that can authenticate using your alternate authenticator.
Caution

Disabling the local authenticator without an alternative authentication in place can result in a locked environment.

Procedure

  1. From the navigation panel, select Access ManagementAuthentication Methods.
  2. Ensure that at least one other authenticator type is configured and enabled.
  3. Select your Local Authenticator.
  4. Toggle the Enabled switch to the off position to disable the local authenticator.

Troubleshooting

If the local authenticator is disabled without another authentication method configured, or if an issue arises with your configured enterprise authentication provider, making the Ansible Automation Platform inaccessible, you can re-enable the local authenticator from the command line as follows:

  1. List the available authenticators and retrieve the ID of your local authenticator by running the following command: 

    aap-gateway-api authenticators --list

  2. Enable the local authenticator using its ID: 

    aap-gateway-manage authenticators --enable :id

    where: :id is the ID of the local authenticator obtained from the previous step.

2.5. Configuring an authentication type
Copy link

Ansible Automation Platform provides multiple authenticator plugins that you can configure to simplify the login experience for your organization. These are the authenticator plugins that are provided:

To ensure proper authentication flow after architectural changes in Ansible Automation Platform 2.6, update the callback_url in your identity providers (IdPs), such as GitHub, Microsoft Entra ID, Keycloak, Generic OIDC, and Google OAuth. This update redirects the callback_url from automation controller to platform gateway. Previously, the callback_url was a fixed value; however, it is now dynamically generated and specific to each authenticator instance, as described in the following procedure. This change requires a manual update in your IdP configuration, even after platform upgrades.

Important

After upgrading, your authentication method is disabled. As a platform administrator ensure that you enable the authenticator.

The callback_url is normally auto-generated by Ansible Automation Platform once the authentication method is configured. You must copy this generated URL from within Ansible Automation Platform and then paste it into your IdP’s settings.

Prerequisites

  • You have administrative access to the configuration settings of your external IdP.

Procedure

  1. Go to your authenticator’s configuration details within the Ansible Automation Platform UI to locate the callback_url.

    For more information, see Displaying authenticator details.

  2. Identify and copy the auto-generated Callback URL, Redirect URL, or Reply URL that Ansible Automation Platform provides for your specific authentication method.
  3. Update your IdP’s configuration by pasting the copied redirect URL from Ansible Automation Platform into your IdP’s configuration where necessary.

Verification

Verify that the callback_url has been updated correctly and authentication is working:

  • Log in to Ansible Ansible Automation Platform as an administrator account and enable the authentication method, if you have not already.
  • Log in to Ansible Automation Platform using the newly configured or updated OAuth or SSO provider. A successful login indicates correct configuration.

2.5.2. Configure authenticator timeouts
Copy link

Ansible Automation Platform uses a system of layered timeouts for password-based authenticators such as LDAP, RADIUS, and TACACS+. To prevent authentication requests from failing, configure each timeout setting in relation to the others. The principle is that each upstream timeout should be slightly longer than the sum of its downstream timeouts.

The system processes authentication requests through a chain of services, each with its own timeout setting:

  • Envoy timeout: The total time a request can take before the initial entry point (Envoy) terminates the connection. This is the highest-level timeout.
  • gRPC timeout: A downstream timeout that bounds the time spent communicating with the internal authentication service.
  • Authenticator timeout: The lowest-level timeout, which defines how long an individual authenticator (LDAP, RADIUS, TACACS+) waits for a response from its third-party server.
2.5.2.1. Setting timeout values
Copy link

Red Hat recommends that you configure your timeout values based on the performance needs of your authentication servers. While the installation program provides a way to set timeouts for the Ansible Automation Platform components, a system administrator must still review and adjust the individual authenticator timeouts to align with their specific environment.

Procedure

  • Configure authenticator timeouts: Adjust the timeout setting for each authenticator to a value that aligns with the expected response time of your external server.

    • For LDAP, set the OPT_NETWORK_TIMEOUT in seconds. For example, OPT_NETWORK_TIMEOUT: 30 sets an LDAP timeout of 30 seconds. For more information, see Configuring LDAP authentication.
    • For TACACS+ authentication, if you want to change the timeout you have to do it through the platform gateway API.
    • For RADIUS authentication, the timeout is not changeable and is set to 5 seconds.

2.5.3. Configuring local authentication
Copy link

As a platform administrator, you can configure local system authentication. With local authentication, users and their passwords are checked against local system accounts.

Note

A local authenticator is automatically created by the Ansible Automation Platform installation process, and is configured with the specified admin credentials in the inventory file before installation. After successful installation, you can log in to the Ansible Automation Platform using those credentials.

Procedure

  1. From the navigation panel, select Access ManagementAuthentication Methods.
  2. Click Create authentication.
  3. Enter a Name for this Local configuration. The configuration name is required, must be unique across all authenticators, and must not be longer than 512 characters.
  4. Select Local from the Authentication type list.

  5. Optional: Enter any Additional Authenticator Fields that this authenticator can take. These fields are not validated and are passed directly back to the authenticator.

    Note

    Values defined in this field override the dedicated fields provided in the UI. Any values not defined here are not provided to the authenticator.

  6. To automatically create organizations, users, and teams upon successful login, select Create objects.
  7. To enable this authentication method upon creation, select Enabled.
  8. To remove a user for any groups they were previously added to when they authenticate from this source, select Remove users.
  9. Click Next.

2.5.4. Configuring LDAP authentication
Copy link

As a platform administrator, you can configure LDAP as the source for account authentication information for Ansible Automation Platform users.

Note

If the LDAP server you want to connect to has a certificate that is self-signed or signed by an internal certificate authority (CA), the CA certificate must be added to the system’s trusted CAs. Otherwise, connection to the LDAP server will result in an error that the certificate issuer is not recognized.

Your LDAP certificate is not automatically migrated if you use the default Red Hat Enterprise Linux truststore. If you are upgrading Ansible Automation Platform and your LDAP authentication relies on a certificate added to the system’s truststore, this LDAP certificate configuration is not automatically migrated for you to platform gateway in Ansible Automation Platform 2.6.

  • For upgrades from Ansible Automation Platform 2.4 to Ansible Automation Platform 2.6:

    • The migration of all authenticator configurations from automation controller to platform gateway are automated. This includes moving third-party authentication configuration and sensitive configuration data, such as SAML private keys or OAuth secret keys, from automation controller to platform gateway. However, if you are using custom LDAP certificates you still need to complete the following procedure for these certificates.
    • The is_superuser and is_system_auditor flags in your LDAP AUTH_LDAP_USER_FLAGS_BY_GROUP settings are successfully migrated to the new platform gateway. However, the is_active flag is not available in platform gateway and therefore is not migrated. Instead you can use a deny rule to prevent access to the system by users.
  • For upgrades from Ansible Automation Platform 2.5 to Ansible Automation Platform 2.6: Authenticator configurations are not automatically migrated from automation controller. If you configured authentication in Ansible Automation Platform 2.5, those settings remain as currently configured after upgrading to 2.6. If you used a custom certificate in 2.5 for LDAP you need to migrate that as well.

Procedure

  1. From the navigation panel, select Access ManagementAuthentication Methods.
  2. Click Create authentication.
  3. Enter a Name for this authentication configuration.
  4. Select LDAP from the Authentication type list. The Authentication details section automatically updates to show the fields relevant to the selected authentication type.
  5. In the LDAP Server URI field, enter or modify the list of LDAP servers to which you want to connect. This field supports multiple addresses.

  6. In the LDAP Bind DN text field, enter the Distinguished Name (DN) to specify the user that the Ansible Automation Platform uses to connect to the LDAP server as shown in the following example: 

    cn=josie,cn=users,dc=website,dc=com
  7. In the LDAP Bind Password text field, enter the password to use for the binding user.

  8. Select a group type from the LDAP Group Type list.

    The group type defines the class name of the group, which manages the groups associated with users in your LDAP directory and is returned by the search specified in Step 14 of this procedure. The group type, along with group parameters and the group search, is used to find and assign groups to users during log in, and can also be evaluated during the mapping process. The following table lists the available group types, along with their descriptions and the necessary parameters for each. By default, LDAP groups will be mapped to Django groups by taking the first value of the cn attribute. You can specify a different attribute with name_attr. For example, name_attr='cn'.

    Expand
    Table 2.1. Available LDAP group types
    LDAP Group TypeDescriptionInitializer method (init)

    PosixGroupType

    Handles the posixGroup object class. This checks for both primary group and group membership.

    name_attr='cn'

    MemberDNGroupType

    Handles the grouping mechanisms wherein the group object contains a list of its member DNs.

    member_attr, name_attr='cn'

    GroupOfNamesType

    Handles the groupOfNames object class. Equivalent to MemberDNGroupType('member').

    name_attr='cn'

    GroupOfUniqueNamesType

    Handles the groupOfUniqueNames object class. Equivalent to MemberDNGroupType('uniqueMember').

    name_attr='cn'

    ActiveDirectoryGroupType

    Handles the Active Directory groups. Equivalent to MemberDNGroupType('member').

    name_attr='cn'

    OrganizationalRoleGroupType

    Handles the organizationalRole object class. Equivalent to MemberDNGroupType('roleOccupant').

    name_attr='cn'

    NestedGroupOfNamesType

    Handles the groupOfNames object class. Equivalent to NestedMemberDNGroupType('member').

    member_attr, name_attr='cn'

    NestedGroupOfUniqueNamesType

    Handles the groupOfUniqueNames object class. Equivalent to NestedMemberDNGroupType('uniqueMember').

    name_attr='cn'

    NestedActiveDirectoryGroupType

    Handles the Active Directory groups. Equivalent to NestedMemberDNGroupType('member').

    name_attr='cn'

    NestedOrganizationalRoleGroupType

    Handles the organizationalRole object class. Equivalent to NestedMemberDNGroupType('roleOccupant').

    name_attr='cn'

    Note

    The group types that are supported by Ansible Automation Platform use the underlying django-auth-ldap library. To specify the parameters for the selected group type, see Step 14 of this procedure.

  9. You can use LDAP User DN Template as an alternative to user search. This approach is more efficient for user lookups than searching if it is usable in your organizational environment. Enter the name of the template as shown in the following example: 

    uid=%(user)s,cn=users,cn=accounts,dc=example,dc=com

    where: uid is the user identifier, cn is the common name and dc is the domain component.

    Note

    If this setting has a value it will be used instead of the LDAP User Search setting.

  10. LDAP Start TLS is disabled by default. StartTLS allows your LDAP connection to be upgraded from an unencrypted connection to a secure connection using Transport Layer Security (TLS). To enable StartTLS when the LDAP connection is not using SSL, set the switch to On.

  11. Optional: Enter any Additional Authenticator Fields that this authenticator can take. These fields are not validated and are passed directly back to the authenticator.

    Note

    Values defined in this field override the dedicated fields provided in the UI. Any values not defined here are not provided to the authenticator.

  12. Enter any LDAP Connection Options to set for the LDAP connection. By default, LDAP referrals are disabled to prevent certain LDAP queries from hanging with Active Directory. Option names should be strings as shown in the following example: 

    OPT_REFERRALS: 0
OPT_NETWORK_TIMEOUT: 30

    See the python-LDAP Reference for possible options and values that can be set.

  13. Depending on the selected LDAP Group Type, different parameters are available in the LDAP Group Type Parameters field to account for this. LDAP_GROUP_TYPE_PARAMS is a dictionary, which is converted to kwargs and passed to the LDAP Group Type class selected. There are two common parameters used by group types: name_attr and member_attr. Where name_attr defaults to cn and member_attr defaults to member: 

    {"name_attr": "cn", "member_attr": "member"}

    To determine the parameters that a specific LDAP Group Type requires, refer to the django_auth_ldap documentation on the classes init parameters.

  14. In the LDAP Group Search field, specify which groups should be searched and how to search them as shown in the following example: 

    [
"dc=example,dc=com",
"SCOPE_SUBTREE",
"(objectClass=group)"
 ]

  15. In the LDAP User Attribute Map field, enter user attributes to map LDAP fields to your Ansible Automation Platform users, for example, email or first_name as shown in the following example: 

    {
"first_name": "givenname",
"last_name": "sn",
"email": "mail"
}

  16. In the LDAP User Search field, enter where to search for users during authentication as shown in the following example: 

    [
"ou=users,dc=website,dc=com",
"SCOPE_SUBTREE",
"(cn=%(user)s)"
]

    If the LDAP User DN Template is not set, the Ansible Automation Platform authenticates to LDAP using the Bind DN Template and LDAP Bind Password. After authentication, an LDAP search is performed to locate the user specified by this field. If the user is found, Ansible Automation Platform validates the provided password against the user found by the LDAP search. Multiple search queries are supported for users with LDAPUnion by entering multiple search terms as shown in the following example: 

    [
    [
        "ou=users,dc=example,dc=com",
        "SCOPE_SUBTREE",
        "uid=%(user)s"
    ],
     [
        "ou=employees,dc=subdivision,dc=com",
        "SCOPE_SUBTREE",
        "uid=%(user)s"
     ]
]

    If non-unique users are found during multiple searches, those users will not be able to log in to Ansible Automation Platform. Based on the example provided, if a user with uid=jdoe was found in both the ou=users,dc=example,dc=com and ou=employees,dc=subdivision,dc=com, neither jdoe user would be able to log in. All other unique users that are found in either branch would still be able to log in.

    Note

    If the field LDAP User DN Template is populated, it takes precedence over the LDAP User Search field and only the template will be used to authenticate users.

  17. To automatically create organizations, users, and teams upon successful login, select Create objects.
  18. To enable this authentication method upon creation, select Enabled.
  19. To remove a user for any groups they were previously added to when they authenticate from this source, select Remove users.
  20. Click Create Authentication Method.

You can authenticate to the automation controller server by using LDAP. However, if you change to using LDAPS (LDAP over SSL/TLS) to authenticate and the TLS certificate is not trusted by platform gateway, it fails with an error such as: 

2025-08-26 16:40:56,141 WARNING   django_auth_ldap Caught LDAPError while authenticating: SERVER_DOWN({'result': -1, 'desc': "Can't contact LDAP server", 'ctrls': [], 'info': 'error:0A000086:SSL routines::certificate verify failed (self-signed certificate)'})

To get Ansible Automation Platform to trust the certificate coming from LDAP, perform the following procedure on all platform gateway instances.

Procedure

  1. Place a copy of the LDAP servers certificate in the directory, /etc/pki/ca-trust/source/anchors/.

  2. Run the command: 

    update-ca-trust

2.5.5. Configuring SAML authentication
Copy link

SAML allows the exchange of authentication and authorization data between an Identity Provider (IdP) and a Service Provider (SP). Ansible Automation Platform is a SAML SP that you can configure to talk with one or more SAML IdPs to authenticate users.

Based on groups and attributes optionally provided by the SAML IdP, users can be placed into teams and organizations in Ansible Automation Platform based on the authenticator maps tied to this authenticator. This mapping ensures that when a user logs in through SAML, Ansible Automation Platform can correctly identify the user and assign the proper attributes such as given name, surname, email, and group membership.

Prerequisites

Before you configure SAML authentication in Ansible Automation Platform, be sure you do the following:

  • Configure a SAML Identity Provider (IdP).

  • Pre-configure the SAML IdP with the settings required for integration with Ansible Automation Platform. For example, in Microsoft Entra ID you can configure the following:

    • Identifier (Entity ID): This can be any value that you want, but it needs to match the one configured in your Ansible Automation Platform.
    • Reply URL (Assertion Consumer Service (ACS) URL): This URL is auto generated when the SAML method is configured in Ansible Automation Platform. Copy that value from Ansible Automation Platform and paste in your IdP settings.
  • Gather the user attributes for your SAML IdP application. Different IdPs might use different attribute names and formats. Refer to documentation for your specific IdP for the exact attribute names and the expected values.

  • Generate a private key and public certificate using the following command: 

    $ openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 3650 -nodes

Procedure

  1. From the navigation panel, select Access ManagementAuthentication Methods.
  2. Click Create authentication.
  3. Enter a Name for this SAML configuration.
  4. Select SAML from the Authentication type list. The Authentication details section automatically updates to show the fields relevant to the selected authentication type.
  5. Enter the application-defined unique identifier used as the audience of the SAML service provider configuration in the SAML Service Provider Entity ID field. This is usually the base URL of your service provider, but the actual value depends on the Entity ID expected by your IdP.
  6. Include the certificate content in the SAML Service Provider Public Certificate field. This information is contained in the cert.pem you created as a prerequisite and must include the --BEGIN CERTIFICATE-- and --END CERTIFICATE--.
  7. Include the private key content in the SAML Service Provider Private Key field. This information is contained in the key.pem you created as a prerequisite and must include the --BEGIN PRIVATE KEY-- and --END PRIVATE KEY--.
  8. Enter the URL to redirect the user to for login initiation in the IdP Login URL field. This is the login URL from your SAML IdP application.

  9. Enter the public cert used for secrets coming from the IdP in the IdP Public Cert field. This is the SAML certificate available for download from IdP.

    Note

    The IdP in the IdP Public Cert field should contain the entire certificate, including the --BEGIN-- and --END CERTIFICATE--. You must manually enter the prefix and suffix if the IdP does not include it.

  10. Enter the entity ID returned in the assertion in the Entity ID. This is the identifier from your IdP SAML application. You can find this value in the SAML metadata provided by your IdP.
  11. Enter user details in the Groups, User Email, Username, User Last Name and User First Name.

  12. Enter a permanent ID for the user in the User Permanent ID field. This field is required.

    Note

    Additional attributes might be available through your SAML IdP. Those values must be included in either the Additional Authenticators Fields or the SAML IDP to extra_data attribute mapping field. Refer to those steps for details.

  13. The SAML Assertion Consumer Service (ACS) URL field registers the service as a service provider (SP) with each identity provider (IdP) you have configured. Leave this field blank. After you save this authentication method, it is auto generated. This field must match the Reply URL setting in your IdP.

  14. Optional: Enter any Additional Authenticator Fields that this authenticator can take. These fields are not validated and are passed directly back to the authenticator. For example, to ensure all SAML IdP attributes other than Email, Username, Last Name, First Name are included for mapping, enter the following: 

    GET_ALL_EXTRA_DATA: true

    Alternatively, you can include a list of SAML IdP attributes in the SAML IDP to extra_data attribute mapping field.

    Note

    Values defined in this field override the dedicated fields provided in the UI. Any values not defined here are not provided to the authenticator.

  15. In the SAML Service Provider Organization Info field, provide the URL, display name, and the name of your app. 

    {
  "en-US": {
    "url": "http://www.example.com",
    "displayname": "Example",
    "name": "example"
  }
}

  16. In the SAML Service Provider Technical Contact field, give the name and email address of the technical contact for your service provider. 

    {
"givenName": "Some User",
"emailAddress": "suser@example.com"
}

  17. In the SAML Service Provider Support Contact field, give the name and email address of the support contact for your service provider. 

    {
"givenName": "Some User",
"emailAddress": "suser@example.com"
}

  18. Optional: Provide extra configuration data in the SAML Service Provider extra configuration data field. For example, you can choose to enable signing requests for added security: 

    {
"sign_request": True,
}

    This field is the equivalent to the SOCIAL_AUTH_SAML_SP_EXTRA in the API. For more information, see OneLogin’s SAML Python Toolkit to learn about the valid service provider extra (SP_EXTRA) parameters.

    Note

    References to the OneLogin SAML Python Toolkit are for formatting examples only. Some configuration entries in the OneLogin documentation might not apply to Ansible Automation Platform.

  19. Optional: Provide security settings in the SAML Security Config field. This field is the equivalent to the SOCIAL_AUTH_SAML_SECURITY_CONFIG field in the API. 

    // Indicates whether the <samlp:AuthnRequest> messages sent by this SP // will be signed. [Metadata of the SP will offer this info]
"authnRequestsSigned": false,

// Indicates a requirement for the <samlp:Response>, <samlp:LogoutRequest> // and <samlp:LogoutResponse> elements received by this SP to be signed.
"wantMessagesSigned": false,

// Indicates a requirement for the <saml:Assertion> elements received by // this SP to be signed. [Metadata of the SP will offer this info]
"wantAssertionsSigned": false,

// Authentication context.
// Set to false and no AuthContext will be sent in the AuthNRequest,
// Set true or don't present this parameter and you will get an AuthContext 'exact' 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'
// Set an array with the possible auth context values: array ('urn:oasis:names:tc:SAML:2.0:ac:classes:Password', 'urn:oasis:names:tc:SAML:2.0:ac:classes:X509'),
"requestedAuthnContext": true,

    For more information and additional options, see OneLogin’s SAML Python Toolkit.

  20. Optional: In the SAML IDP to extra_data attribute mapping field, enter values to map IDP attributes to extra_data attributes. These values will include additional user information beyond standard attributes such as Email or Username to be mapped. For example: 

    - Department
- UserType
- Organization

    For more information about the values you can include, see advanced SAML settings.

    Important

    Ensure to include all relevant values so that everything gets mapped correctly for your configuration. Alternatively, you can include the GET_ALL_EXTRA_DATA: true in the Additional Authenticator Fields to allow mapping of all available SAML IdP attributes.

  21. To automatically create organizations, users, and teams upon successful login, select Create objects.
  22. To enable this authentication method upon creation, select Enabled.
  23. To remove a user for any groups they were previously added to when they authenticate from this source, select Remove users.

  24. Click Create Authentication Method.

    Important

    You can configure an HTTPS redirect for SAML in operator-based deployments to simplify login for your users. For the steps to configure this setting, see Enabling single sign-on (SSO) for platform gateway on OpenShift Container Platform.

2.5.5.1. Configuring transparent SAML logins
Copy link

For transparent logins to work, you must first get IdP-initiated logins to work.

Procedure

  • Set the RelayState on the IdP to "IdP".

2.5.6. Configuring TACACS+ authentication
Copy link

Terminal Access Controller Access-Control System Plus (TACACS+) is a protocol that handles remote authentication and related services for networked access control through a centralized server. TACACS+ provides authentication, authorization and accounting (AAA) services, in which you can configure Ansible Automation Platform to use as a source for authentication.

Note

This feature is deprecated and will be removed in a future release.

Procedure

  1. From the navigation panel, select Access ManagementAuthentication Methods.
  2. Click Create authentication.
  3. Enter a Name for this authentication configuration.
  4. Select TACACS+ from the Authentication type list. The Authentication details section automatically updates to show the fields relevant to the selected authentication type.

  5. Enter the following information:

    • Hostname of TACACS+ Server: Provide the hostname or IP address of the TACACS+ server with which to authenticate. If you leave this field blank, TACACS+ authentication is disabled.
    • TACACS+ Authentication Protocol: The protocol used by the TACACS+ client. The options are ascii or pap.
    • Shared secret for authenticating to TACACS+ server: The secret key for TACACS+ authentication server.
  6. The TACACS+ client address sending enabled is disabled by default. To enable client address sending, select the checkbox.

  7. Optional: Enter any Additional Authenticator Fields that this authenticator can take. These fields are not validated and are passed directly back to the authenticator.

    Note

    Values defined in this field override the dedicated fields provided in the UI. Any values not defined here are not provided to the authenticator.

  8. To automatically create organizations, users, and teams upon successful login, select Create objects.
  9. To enable this authentication method upon creation, select Enabled.
  10. To remove a user for any groups they were previously added to when they authenticate from this source, select Remove users.
  11. Click Create Authentication Method.

To set up enterprise authentication for Microsoft Entra ID, formerly known as Microsoft Azure Active Directory (AD), follow these steps:

  1. Configure your Ansible Automation Platform to use Microsoft Entra ID authentication using the steps in this procedure.
  2. Register Ansible Automation Platform in Microsoft Entra ID by following the Quickstart: Register an application with the Microsoft identity platform. This process provides you with an Application (client) ID and Application secret.
  3. Add the redirect URL in Microsoft Entra ID. After completing the configuration wizard for Microsoft Entra ID authentication in your platform, copy the URL displayed in the Azure AD OAuth2 Callback URL field. Then, go to your registered enterprise application in Azure and add this URL as a Redirect URL (also referred to as a Callback URL in Ansible Automation Platform) as described in How to add a redirect URI to your application. This step is required for the login flow to work correctly.

The attributes provided by Microsoft Entra ID are not set in the Ansible Automation Platform configuration for this authentication type. Instead, the social_core azuread backend provides the translation of claims provided by Microsoft Entra ID. The user attributes that allow Ansible Automation Platform to correctly identify the user and assign the proper attributes such as given name, surname, email, and username include the following:

Expand
Ansible Automation Platform attributeMicrosoft Entra ID parameter

authenticator_uid

upn

Username

name

First Name

given_name

Last Name

family_name

Email

email (falling back to upn)

Each key and secret must belong to a unique application and cannot be shared or reused between different authentication backends. To register the application, you must supply it with your webpage URL, which is the Callback URL shown in the Authenticator details for your authenticator configuration. See Displaying authenticator details for instructions on accessing this information.

Procedure

  1. From the navigation panel, select Access ManagementAuthentication Methods.
  2. Click Create authentication.
  3. Enter a Name for this authentication configuration.
  4. Select Azuread from the Authentication type list. The Authentication details section automatically updates to show the fields relevant to the selected authentication type.
  5. Click Edit, copy and paste Microsoft’s Application (Client) ID to the OIDC Key field.

  6. If your Microsoft Entra ID is configured to provide user group information within a groups claim, ensure that the platform is configured with a Groups Claim name that matches your Microsoft Entra ID configuration. This allows the platform to correctly identify and associate groups for users logging in through Microsoft Entra ID.

    Note

    Groups coming from Microsoft Entra ID can be identified using either unique IDs or group names. When creating group mappings for a Microsoft Entra ID authenticator, you can use either the unique ID or the group name.

    By default, Microsoft Entra ID uses groups as the default group claim name. So, be sure to either set the value to the default or to any custom override you have set in your IdP. The current default is set to preserve the existing behavior unless explicitly changed.

  7. Following instructions for registering your application with the Microsoft identity platform, supply the key (shown at one time only) to the client for authentication.
  8. Copy and paste the secret key created for your Microsoft Entra ID/Microsoft Azure AD application to the OIDC Secret field.
  9. Optional: By default, the name attribute from Microsoft Entra ID is used as the username field within Ansible Automation Platform. If you want to override that default value and use another attribute from Microsoft Entra ID, enter that attribute in the username field.

  10. Optional: Enter any Additional Authenticator Fields that this authenticator can take. These fields are not validated and are passed directly back to the authenticator.

    Note

    Values defined in this field override the dedicated fields provided in the UI. Any values not defined here are not provided to the authenticator.

  11. To automatically create organizations, users, and teams upon successful login, select Create objects.
  12. To enable this authentication method upon creation, select Enabled.
  13. To remove a user for any groups they were previously added to when they authenticate from this source, select Remove users.
  14. Click Create Authentication Method.

Verification

To verify that the authentication is configured correctly, log out of Ansible Automation Platform and check that the login screen displays the logo of your authentication chosen method to enable logging in with those credentials.

Next steps

To control which users are allowed into the Ansible Automation Platform server, and placed into Ansible Automation Platform organizations or teams based on their attributes (such as username and email address) or to what groups they belong, continue to Mapping.

Additional resources

2.5.8. Configuring Google OAuth2 authentication
Copy link

To set up social authentication for Google, you must obtain an OAuth2 key and secret for a web application. To do this, you must first create a project and set it up with Google.

For instructions, see Setting up OAuth 2.0 in the Google API Console Help documentation.

If you have already completed the setup process, you can access those credentials by going to the Credentials section of the Google API Manager Console. The OAuth2 key (Client ID) and secret (Client secret) are used to supply the required fields in the UI.

Procedure

  1. From the navigation panel, select Access ManagementAuthentication Methods.
  2. Click Create authentication.
  3. Enter a Name for this authentication configuration.
  4. Select Google OAuth from the Authentication type list. The Authentication details section automatically updates to show the fields relevant to the selected authentication type.

  5. The Google OAuth2 Key and Google OAuth2 Secret fields are pre-populated.

    If not, use the credentials Google supplied during the web application setup process. Save these settings for use in the following steps.

  6. Copy and paste Google’s Client ID into the Google OAuth2 Key field.
  7. Copy and paste Google’s Client secret into the Google OAuth2 Secret field.

  8. Optional: Enter information for the following fields using the tooltip provided for instructions and required format:

    • Access Token URL
    • Access Token Method
    • Authorization URL
    • Revoke Token Method
    • Revoke Token URL
    • OIDC JWT Algorithm(s)
    • OIDC JWT

  9. Optional: Enter any Additional Authenticator Fields that this authenticator can take. These fields are not validated and are passed directly back to the authenticator.

    Note

    Values defined in this field override the dedicated fields provided in the UI. Any values not defined here are not provided to the authenticator.

  10. To automatically create organizations, users, and teams upon successful login, select Create objects.
  11. To enable this authentication method upon creation, select Enabled.
  12. To remove a user for any groups they were previously added to when they authenticate from this source, select Remove users.
  13. Click Create Authentication Method.

Verification

To verify that the authentication is configured correctly, log out of Ansible Automation Platform and check that the login screen displays the logo of your authentication chosen method to enable logging in with those credentials.

2.5.9. Configuring generic OIDC authentication
Copy link

OpenID Connect (OIDC) uses the OAuth 2.0 framework. It enables third-party applications to verify the identity and obtain basic end-user information. The main difference between OIDC and SAML is that SAML has a service provider (SP)-to-IdP trust relationship, whereas OIDC establishes the trust with the channel (HTTPS) that is used to obtain the security token. To obtain the credentials needed to set up OIDC with Ansible Automation Platform, see the documentation from the IdP of your choice that has OIDC support.

Procedure

  1. From the navigation panel, select Access ManagementAuthentication Methods.
  2. Click Create authentication.
  3. Enter a Name for this authentication configuration.
  4. Select Generic OIDC from the Authentication type list. The Authentication details section automatically updates to show the fields relevant to the selected authentication type.

  5. Enter the following information:

    • OIDC Provider URL: The URL for your OIDC provider.
    • OIDC Key: The client ID from your third-party IdP.
    • OIDC Secret: The client secret from your IdP.
  6. Optional: Select the HTTP method to be used when requesting an access token from the Access Token Method list. The default method is POST.

  7. Optionally enter information for the following fields using the tooltip provided for instructions and required format:

    • Access Token Method - The default method is POST.
    • Access Token URL
    • Access Token Method
    • Authorization URL
    • Callback URL - The OIDC Callback URL field registers the service as a service provider (SP) with each OIDC provider you have configured. Leave this field blank. After you save this authentication method, it is auto generated. Configure your IdP to allow redirects to this URL as part of the authentication flow.
    • ID Key
    • ID Token Issuer
    • JWKS URI
    • OIDC Public Key
    • Revoke Token Method - The default method is GET.
    • Revoke Token URL
    • Response Type
    • Token Endpoint Auth Method
    • Userinfo URL
    • Username Key
  8. Use the Verify OIDC Provider Certificate to enable or disable the OIDC provider SSL/TLS certificate verification.
  9. Use the Redirect State to enable or disable the state parameter in the redirect URI. Enable this to prevent Cross Site Request Forgery (CSRF) attacks.

  10. Optional: Enter any Additional Authenticator Fields that this authenticator can take. These fields are not validated and are passed directly back to the authenticator.

    Note

    Values defined in this field override the dedicated fields provided in the UI. Any values not defined here are not provided to the authenticator.

  11. To automatically create organizations, users, and teams upon successful login, select Create objects.
  12. To enable this authentication method upon creation, select Enabled.
  13. To remove a user for any groups they were previously added to when they authenticate from this source, select Remove users.
  14. Click Create Authentication Method.

Authentication fails if the OIDC JWT Algorithm setting is not explicitly defined. The authentication code requires a list of acceptable algorithms, which it does not retrieve automatically from the OpenID Connect (OIDC) configuration endpoint.

2.5.9.1.1. Configuring JWT_Algorithms manually
Copy link

To resolve the authentication failure, manually provide the list of supported algorithms in the platform gateway configuration.

Procedure

  1. From the navigation panel, select Access ManagementAuthentication Methods.
  2. Select your OIDC authenticator from the list.
  3. Click Edit authentication and locate the OIDC JWT Algorithm(s) field.

  4. Enter the list of supported algorithms as a YAML list or a JSON array. These algorithms are typically available from your IdP’s OpenID Connect (OIDC) discovery endpoint.

    Example 

    [
    "PS384",
    "ES384",
    "RS384",
    "HS256",
    "HS512",
    "ES256",
    "RS256",
    "HS384",
    "ES512",
    "PS256",
    "PS512",
    "RS512"
]
  5. Save your changes. The system uses these specified algorithms for token verification, resolving any authentication failures related to their absence.

To further diagnose authentication issues, enable debug logging in platform gateway.

Procedure

  1. Change the logging configuration in the platform gateway’s settings.py file.

  2. Set the logging level for the ansible_base logger to DEBUG: 

    LOGGING['loggers']['ansible_base']['level'] = 'DEBUG'

    After this change, detailed AuthTokenError messages are displayed in the logs, providing specific information about the cause of the failure.

Authentication fails when the Identity Provider (IdP) does not support the default scopes automatically appended by the system.

To prevent the system from appending this default scope, you must add a setting to your authenticator configuration.

Procedure

  1. From the navigation panel, select Access ManagementAuthentication Methods.
  2. Select your OIDC authenticator from the list.
  3. Click Edit authentication.

  4. In the Additional Authenticator Fields section, add the following attribute and value. This input box supports either YAML or JSON. Ensure you add this key-value pair on a new line if there are other fields present: 

    IGNORE_DEFAULT_SCOPE: True
  5. Save your changes. The authenticator now only uses the scopes you explicitly defined, resolving any authentication failures related to unsupported scopes.

2.5.10. Configuring keycloak authentication
Copy link

You can configure Ansible Automation Platform to integrate Keycloak to manage user authentication.

Note

When using this authenticator some specific setup in your Keycloak instance is required. Refer to the Python Keycloak reference for more details.

Procedure

  1. From the navigation panel, select Access ManagementAuthentication Methods.
  2. Click Create authentication.
  3. Enter a Name for this authentication configuration.
  4. Select Keycloak from the Authentication type list. The Authentication details section automatically updates to show the fields relevant to the selected authentication type.
  5. Enter the location where the user’s token can be retrieved in the Keycloak Access Token URL field.
  6. Optional: Enter the redirect location the user is taken to during the login flow in the Keycloak Provider URL field.
  7. Enter the Client ID from your Keycloak installation in the Keycloak OIDC Key field.
  8. Enter the RS256 public key provided by your Keycloak realm in the Keycloak Public Key field.
  9. Enter the OIDC secret (Client Secret) from your Keycloak installation in the Keycloak OIDC Secret field.

  10. Optional: Enter any Additional Authenticator Fields that this authenticator can take. These fields are not validated and are passed directly back to the authenticator.

    Note

    Values defined in this field override the dedicated fields provided in the UI. Any values not defined here are not provided to the authenticator.

  11. To automatically create organizations, users, and teams upon successful login, select Create objects.
  12. To enable this authentication method upon creation, select Enabled.
  13. To remove a user for any groups they were previously added to when they authenticate from this source, select Remove users.
  14. Click Create Authentication Method.

Troubleshooting

If you receive an jwt.exceptions.InvalidAudienceError: Audience doesn’t match error, you must re-enable the audience by doing the following:

  1. From the navigation for your Keycloak configuration, select Client scopesYOUR-CLIENT-ID-dedicatedAdd mapperAudience.
  2. Pick a name for the mapper.
  3. Select the Client ID corresponding to your client in Included Client Audience.

2.5.11. Configuring GitHub authentication
Copy link

You can connect GitHub identities to Ansible Automation Platform using OAuth. To set up GitHub authentication, you need to obtain an OAuth2 key and secret by registering your organization-owned application from GitHub by using the registering the new application with GitHub.

The OAuth2 key (Client ID) and secret (Client Secret) are used to supply the required fields in the UI. To register the application, you must supply it with your webpage URL, which is the Callback URL shown in the Authenticator details for your authenticator configuration. See Displaying authenticator details for instructions on accessing this information.

Procedure

  1. From the navigation panel, select Access ManagementAuthentication Methods.
  2. Click Create authentication.
  3. Enter a Name for this authentication configuration.
  4. Select GitHub from the Authentication type list. The Authentication details section automatically updates to show the fields relevant to the selected authentication type.

  5. When the application is registered, GitHub displays the Client ID and Client Secret:

    1. Copy and paste the GitHub Client ID into the GitHub OAuth2 Key field.
    2. Copy and paste the GitHub Client Secret into the GitHub OAuth2 Secret field.

  6. Optional: Enter any Additional Authenticator Fields that this authenticator can take. These fields are not validated and are passed directly back to the authenticator.

    Note

    Values defined in this field override the dedicated fields provided in the UI. Any values not defined here are not provided to the authenticator.

  7. To automatically create organizations, users, and teams upon successful login, select Create objects.
  8. To enable this authentication method upon creation, select Enabled.
  9. To remove a user for any groups they were previously added to when they authenticate from this source, select Remove users.
  10. Click Create Authentication Method.

Verification

To verify that the authentication is configured correctly, log out of Ansible Automation Platform and check that the login screen displays the logo of your authentication chosen method to enable logging in with those credentials.

When defining account authentication with either an organization or a team within an organization, you should use the specific organization and team settings. Account authentication can be limited by an organization and by a team within an organization.

You can also choose to permit all by specifying non-organization or non-team based settings. You can limit users who can log in to the platform by limiting only those in an organization or on a team within an organization.

To set up social authentication for a GitHub organization, you must obtain an OAuth2 key and secret for a web application by using the registering the new application with GitHub.

The OAuth2 key (Client ID) and secret (Client Secret) are used to supply the required fields in the UI. To register the application, you must supply it with your webpage URL, which is the Callback URL shown in the Authenticator details for your authenticator configuration. See Displaying authenticator details for instructions on accessing this information.

Procedure

  1. From the navigation panel, select Access ManagementAuthentication Methods.
  2. Click Create authentication.
  3. Enter a Name for this authentication configuration.
  4. Select GitHub organization from the Authentication type list. The Authentication details section automatically updates to show the fields relevant to the selected authentication type.

  5. When the application is registered, GitHub displays the Client ID and Client Secret:

    1. Copy and paste the GitHub Client ID into the GitHub OAuth2 Key field.
    2. Copy and paste the GitHub Client Secret into the GitHub OAuth2 Secret field.
  6. Enter the name of your GitHub organization, as used in your organization’s URL, for example, https://github.com/<yourorg>/ in the GitHub OAuth Organization Name field.

  7. Optional: Enter any Additional Authenticator Fields that this authenticator can take. These fields are not validated and are passed directly back to the authenticator.

    Note

    Values defined in this field override the dedicated fields provided in the UI. Any values not defined here are not provided to the authenticator.

  8. Enter the authorization scope for users in the GitHub OAuth2 Scope field. The default is read:org.
  9. To automatically create organizations, users, and teams upon successful login, select Create objects.
  10. To enable this authentication method upon creation, select Enabled.
  11. To remove a user for any groups they were previously added to when they authenticate from this source, select Remove users.
  12. Click Create Authentication Method.

Verification

To verify that the authentication is configured correctly, log out of Ansible Automation Platform and check that the login screen displays the logo of your authentication chosen method to enable logging in with those credentials.

2.5.13. Configuring GitHub team authentication
Copy link

To set up social authentication for a GitHub team, you must obtain an OAuth2 key and secret for a web application by using the instructions provided in registering the new application with GitHub.

The OAuth2 key (Client ID) and secret (Client Secret) are used to supply the required fields in the UI. To register the application, you must supply it with your webpage URL, which is the Callback URL shown in the Authenticator details for your authenticator configuration. See Displaying authenticator details for instructions on accessing this information.

Each key and secret must belong to a unique application and cannot be shared or reused between different authentication backends. The OAuth2 key (Client ID) and secret (Client Secret) are used to supply the required fields in the UI.

Procedure

  1. From the navigation panel, select Access ManagementAuthentication Methods.
  2. Click Create authentication.
  3. Enter a Name for this authentication configuration.
  4. Select GitHub team from the Authentication type list. The Authentication details section automatically updates to show the fields relevant to the selected authentication type.

  5. When the application is registered, GitHub displays the Client ID and Client Secret:

    1. Copy and paste the GitHub Client ID into the GitHub OAuth2 Key field.
    2. Copy and paste the GitHub Client Secret into the GitHub OAuth2 Secret field.
  6. Copy and paste GitHub’s team ID in the GitHub OAuth2 Team ID field.
  7. Enter the authorization scope for users in the GitHub OAuth2 Scope field. The default is read:org.

  8. Optional: Enter any Additional Authenticator Fields that this authenticator can take. These fields are not validated and are passed directly back to the authenticator.

    Note

    Values defined in this field override the dedicated fields provided in the UI. Any values not defined here are not provided to the authenticator.

  9. To automatically create organizations, users, and teams upon successful login, select Create objects.
  10. To enable this authentication method upon creation, select Enabled.
  11. To remove a user for any groups they were previously added to when they authenticate from this source, select Remove users.

  12. Click Create Authentication Method.

    To verify that the authentication is configured correctly, log out of Ansible Automation Platform and check that the login screen displays the logo of your authentication chosen method to enable logging in with those credentials.

To set up social authentication for a GitHub enterprise, you must obtain a GitHub Enterprise URL, an API URL, OAuth2 key and secret for a web application.

To obtain the URLs, see the GitHub Enterprise administration documentation.

The OAuth2 key (Client ID) and secret (Client Secret) are used to supply the required fields in the UI. To register the application, you must supply it with your webpage URL, which is the Callback URL shown in the Authenticator details for your authenticator configuration. See Displaying authenticator details for instructions on accessing this information.

Each key and secret must belong to a unique application and cannot be shared or reused between different authentication backends. The OAuth2 key (Client ID) and secret (Client Secret) are used to supply the required fields in the UI.

Procedure

  1. From the navigation panel, select Access ManagementAuthentication Methods.
  2. Click Create authentication.
  3. Enter a Name for this authentication configuration.
  4. Select GitHub enterprise from the Authentication type list. The Authentication details section automatically updates to show the fields relevant to the selected authentication type.

  5. When the application is registered, GitHub displays the Client ID and Client Secret:

    1. Copy and paste the GitHub Client ID into the GitHub OAuth2 Key field.
    2. Copy and paste the GitHub Client Secret into the GitHub OAuth2 Secret field.
  6. In the Base URL field, enter the hostname of the GitHub Enterprise instance, for example, https://github.example.com.
  7. In the Github OAuth2 Enterprise API URL field, enter the API URL of the GitHub Enterprise instance, for example, https://github.example.com/api/v3.

  8. Optional: Enter any Additional Authenticator Fields that this authenticator can take. These fields are not validated and are passed directly back to the authenticator.

    Note

    Values defined in this field override the dedicated fields provided in the UI. Any values not defined here are not provided to the authenticator.

  9. To automatically create organizations, users, and teams upon successful login, select Create objects.
  10. To enable this authentication method upon creation, select Enabled.
  11. To remove a user for any groups they were previously added to when they authenticate from this source, select Remove users.
  12. Click Create Authentication Method.

Verification

To verify that the authentication is configured correctly, log out of Ansible Automation Platform and check that the login screen displays the logo of your authentication chosen method to enable logging in with those credentials.

To set up social authentication for a GitHub enterprise organization, you must obtain a GitHub enterprise organization URL, an Organization API URL, an Organization OAuth2 key and secret for a web application.

To obtain the URLs, see the GitHub Enterprise administration documentation.

The OAuth2 key (Client ID) and secret (Client Secret) are used to supply the required fields in the UI. To register the application, you must supply it with your webpage URL, which is the Callback URL shown in the Authenticator details for your authenticator configuration. See Displaying authenticator details for instructions on accessing this information.

Each key and secret must belong to a unique application and cannot be shared or reused between different authentication backends. The OAuth2 key (Client ID) and secret (Client Secret) are used to supply the required fields in the UI.

Procedure

  1. From the navigation panel, select Access ManagementAuthentication Methods.
  2. Click Create authentication.
  3. Enter a Name for this authentication configuration.
  4. Select GitHub enterprise organization from the Authentication type list. The Authentication details section automatically updates to show the fields relevant to the selected authentication type.

  5. When you register the application, GitHub displays the Client ID and Client Secret:

    1. Copy and paste the GitHub Client ID into the GitHub OAuth2 Key field.
    2. Copy and paste the GitHub Client Secret into the GitHub OAuth2 Secret field.
  6. In the Base URL field, enter the hostname of the GitHub Enterprise instance, for example, https://github.example.com.
  7. In the Github OAuth2 Enterprise API URL field, enter the API URL of the GitHub Enterprise instance, for example, https://github.example.com/api/v3.
  8. Enter the name of your GitHub enterprise organization, as used in your organization’s URL, for example, https://github.com/<yourorg>/ in the GitHub OAuth2 Enterprise Org Name field.

  9. Optional: Enter any Additional Authenticator Fields that this authenticator can take. These fields are not validated and are passed directly back to the authenticator.

    Note

    Values defined in this field override the dedicated fields provided in the UI. Any values not defined here are not provided to the authenticator.

  10. To automatically create organizations, users, and teams upon successful login, select Create objects.
  11. To enable this authentication method upon creation, select Enabled.
  12. To remove a user for any groups they were previously added to when they authenticate from this source, select Remove users.

  13. Click Create Authentication Method.

    To verify that the authentication is configured correctly, log out of Ansible Automation Platform and check that the login screen displays the logo of your authentication chosen method to enable logging in with those credentials.

To set up social authentication for a GitHub enterprise team, you must obtain a GitHub Enterprise Organization URL, an Organization API URL, an Organization OAuth2 key and secret for a web application.

To obtain the URLs, see the GitHub Enterprise administration documentation.

To obtain the key and secret, you must first register your enterprise organization-owned application at https://github.com/organizations/<yourorg>/settings/applications.

The OAuth2 key (Client ID) and secret (Client Secret) are used to supply the required fields in the UI. To register the application, you must supply it with your webpage URL, which is the Callback URL shown in the Authenticator details for your authenticator configuration. See Displaying authenticator details for instructions on accessing this information.

Each key and secret must belong to a unique application and cannot be shared or reused between different authentication backends. The OAuth2key (Client ID) and secret (Client Secret) are used to supply the required fields in the UI.

Procedure

  1. From the navigation panel, select Access ManagementAuthentication Methods.
  2. Click Create authentication.
  3. Enter a Name for this authentication configuration.
  4. Select GitHub enterprise team from the Authentication type list. The Authentication details section automatically updates to show the fields relevant to the selected authentication type.

  5. When the application is registered, GitHub displays the Client ID and Client Secret:

    1. Copy and paste the GitHub Client ID into the GitHub OAuth2 Key field.
    2. Copy and paste the GitHub Client Secret into the GitHub OAuth2 Secret field.
  6. In the Base URL field, enter the hostname of the GitHub Enterprise instance, for example, https://github.orgexample.com.
  7. In the Github OAuth2 Enterprise API URL field, enter the API URL of the GitHub Enterprise instance, for example, https://github.example.com/api/v3.
  8. Enter the OAuth2 key (Client ID) from your GitHub developer application in the GitHub OAuth2 team ID field.

  9. Optional: Enter any Additional Authenticator Fields that this authenticator can take. These fields are not validated and are passed directly back to the authenticator.

    Note

    Values defined in this field override the dedicated fields provided in the UI. Any values not defined here are not provided to the authenticator.

  10. To automatically create organizations, users, and teams upon successful login, select Create objects.
  11. To enable this authentication method upon creation, select Enabled.
  12. To remove a user for any groups they were previously added to when they authenticate from this source, select Remove users.
  13. Click Create Authentication Method.

Verification

To verify that the authentication is configured correctly, log out of Ansible Automation Platform and check that the login screen displays the logo of your authentication chosen method to enable logging in with those credentials.

2.5.17. Configuring RADIUS authentication
Copy link

You can configure Ansible Automation Platform to centrally use RADIUS as a source for authentication information.

Procedure

  1. From the navigation panel, select Access ManagementAuthentication Methods.
  2. Click Create authentication.
  3. Enter a Name for this authentication configuration.
  4. Select Radius from the Authentication type list. The Authentication details section automatically updates to show the fields relevant to the selected authentication type.
  5. Enter the host or IP of the RADIUS server in the RADIUS Server field. If you leave this field blank, RADIUS authentication is disabled.
  6. Enter the Shared secret for authenticating to RADIUS server.

  7. Optional: Enter any Additional Authenticator Fields that this authenticator can take. These fields are not validated and are passed directly back to the authenticator.

    Note

    Values defined in this field override the dedicated fields provided in the UI. Any values not defined here are not provided to the authenticator.

  8. To automatically create organizations, users, and teams upon successful login, select Create objects.
  9. To enable this authentication method upon creation, select Enabled.
  10. To remove a user for any groups they were previously added to when they authenticate from this source, select Remove users.
  11. Click Create Authentication Method.

Red Hat Ansible Automation Platform 2.6 manages user accounts and synchronizes attributes by centralizing user identification around a verified email address. This approach gives users the option to sign in with existing accounts from different sources while maintaining a consistent user profile and access permissions.

When a user logs into the platform for the first time with an authenticator, such as Local, GitHub, SAML, or LDAP, the system evaluates the username and email address. If a single, verified email match exists, the external user is linked to that existing platform account.

  • Subsequent logins with the same authenticator and external Unique Identifier (UID) directly sign the user into their linked account.
  • If a user’s external UID changes, the system re-triggers the email-based linking logic. If the new UID’s email matches the existing account, the new authenticator is linked. If the email does not match or is not provided, a new user account might be created.
  • If a user’s external email changes, the platform does not automatically update the email address in the existing account, but the user can still sign in and a new account with the new email is created for the user.

This strategy addresses historical inconsistencies:

  • Ansible Automation Platform 2.4: Inconsistent authentication across multiple backends could lead to login failures.
  • Ansible Automation Platform 2.5: Platform gateway created new users with hashed usernames, for example, username-abc123, when a user authenticated with many providers, which created administrative issues.

In Ansible Automation Platform 2.6, if a user had a "hashed" account from Ansible Automation Platform 2.5, such as bob-hash due to a username collision, that association is honored for that authenticator. However, for new authentications from other identity providers, the platform now maps to the user’s primary account, such as, bob, provided a single matching email exists. This consolidates user identities and prevents the creation of new hashed accounts. If users should have been previously merged you can delete the user-<hash> account from Ansible Automation Platform and on a subsequent login, the users are merged based on emails as described above.

Important
  • Authenticators without email: If an authenticator such as RADIUS or TACACS+ does not return an email address, a new account is created on first sign-in. To ensure consistent future access, manually add an email to the account after creation.
  • Multiple users with the same email: If an email from an authenticator matches multiple existing platform accounts, the sign-in process fails.
  • LDAP usernames: The platform treats LDAP usernames as case-insensitive. It converts the username to lowercase and stores it in the database.
  • associated_authenticators field: For this unified association, the associated_authenticators field in the API is adjusted to support multiple UIDs per user.

2.7. Mapping
Copy link

To control which users are allowed into the Ansible Automation Platform server, and placed into Ansible Automation Platform organizations or teams based on their attributes (such as username and email address) or what groups they belong to, you can configure authenticator maps.

Use authenticator maps to add conditions that must be met before a user is given or denied access to a resource type. Authenticator maps are associated with an authenticator and are given an order. The maps are processed in order when the user logs in. These are similar to firewall rules or mail filters.

2.7.1. Understanding authenticator mapping
Copy link

Authentication
Validates a user’s identity, typically through a username and password or a trust system.
Authorization
Determines what an authenticated user can do once they are authenticated.

In Ansible Automation Platform, authenticators manage authentication, validating users and returning details such as their username, given name, email, and group memberships (for example, LDAP groups). Authorization comes from the authenticator’s associated maps.

During the authentication process, after a user has authenticated, the authorization system starts with a default set of permissions in memory. Then sequentially, the authenticator maps are processed and adjust permissions based on their trigger conditions. When all the authenticator’s maps are processed, the in-memory representation of the user’s permissions are reconciled with their existing permissions.

For example, here is a simplified in-memory representation of the default permissions as follows: 

Access allowed = True
Superuser permission = Undefined
Admin of teams = None

And, you might have maps that need to be processed are processed in the following order:

  1. Allow rule set to never
  2. Allow rule based on group
  3. Superuser rule based on user attributes
  4. Team admin rule based on user group

The first Allow map, set to never, denies access to the system and the in-memory representation looks like: 

Access allowed = False
Superuser permission = Undefined
Admin of teams = None

However, if the user matches the second Allow map (the group-based allow), the permissions change to the following: 

Access allowed = True
Superuser permission = Undefined
Admin of teams = None

Where the user is subsequently granted access to Ansible Automation Platform because they have the required groups.

Next, the Superuser map checks user attributes. If no match is found, it does not revoke existing permissions by default. Therefore, the permissions remain the same as the results from the previous map: 

Access allowed = True
Superuser permission = Skipped
Admin of teams = None

To revoke superuser access, you can select the Revoke option on the Superuser map. That way, when the user does not meet the attribute criteria, the permissions update to False such as the following: 

Access allowed = True
Superuser permission = False
Admin of teams = None

The final Team map checks the user’s groups coming from the authenticator for admin access on the team “My Team”. If the user has the required group, the permissions update to the following: 

Access allowed = True
Superuser permission = False
Admin of teams = “My Team

If the user lacks the required group, permissions remain unchanged unless the Revoke option has been selected on the map, in which case permissions update to the following: 

Access allowed = True
Superuser permission = False
Admin of teams = Revoke admin of “My Team”

After processing all maps in the order defined, the final permissions reconcile, updating the user’s access based on the map rules.

In summary, authenticators validate users and delegate system authorization to the authenticator maps. Authenticator maps are executed in order creating an in-memory representation of the users' permissions which get reconciled with the actual permissions after all maps are executed.

By default, authenticator maps return either ALLOW or SKIPPED.

ALLOW
Means that a match is detected and the platform should grant the user access to the corresponding role or permission (such as, superuser, or team member).
SKIPPED
Means that the user did not match the trigger in the map and, the platform skips processing this map and continues to check the remaining maps. This is useful if you want to grant users additional permissions in the system without having to change the authenticator maps.

However, when the Revoke option is selected, SKIPPED becomes DENY and users who do not meet the required trigger criteria are denied access to the corresponding role or permission. This ensures that only users with matching trigger conditions are granted access.

2.7.2. Authenticator map types
Copy link

Ansible Automation Platform supports the following rule types:

Allow
Determine if the user is allowed to log in to the system.
Organization
Determine if a user should be put into an organization.
Team
Determine if the user should be a member of a team.
Role
Determine if the user is a member of a role (for example, System Auditor).
Is Superuser
Determine if the user is a superuser in the system.

These authentication map types can be used with any type of authenticator.

2.7.3. Authenticator map triggers
Copy link

Each map has a trigger that defines when the map should be evaluated as true. Trigger types include the following:

Always
The trigger should always be fired.
Never
The trigger should never be fired.
Group

The map is true or false based on a user having, not having, or having multiple groups in the source system. See Authenticator map examples for information on using Group triggers.

When defining a group trigger, the authentication mapping expands to include the following selections:

  • Operation: This field includes conditional settings that trigger the handling of the rule based on the specified Groups criteria. The choices include and and or. For example, if you select and the user logging in must be a member of all of the groups specified in the Groups field for this trigger to be true. Alternatively, if you select or the user logging in must be a member of any of the specified Groups in order for the trigger to fire.

    Note

    If you are only keying off one group it does not matter if you select "and" or "or".

  • Groups: This is a list of one or more groups coming from the authentication system that the user must be a member of. The first time you create a Groups entry, you must manually enter the values. Once entered, that selection will be available from the Groups list.

    See the Operation field to determine the behavior of the trigger if more than one group is specified in the trigger.

Attribute

The map is true or false based on a users attributes coming from the source system. See Authenticator map examples for information about using Attribute triggers.

When defining an attribute trigger, the authentication mapping expands to include the following selections:

  • Operation: This field includes conditional settings that trigger the handling of the rule based on the specified Attribute criteria. In version 2.6 this field indicates what will happen if the source system returns a list of attributes instead of a single value. For example, if the source system returns multiple emails for a user and Operation was set to and, all of the given emails must match the Comparison for the trigger to be True. If Operation was set to or, any of the returned emails will set the trigger to True if they match the Comparison in the trigger.

    Note

    If you want to experiment with multiple attribute maps you can do that through the API but the UI form will remove multi-attribute maps if the authenticator is saved through the UI. When adding multiple attributes to a map, the Operation will also apply to the attributes.

  • Attribute: The name of the attribute coming from the source system this trigger will be evaluated against. For example, if you wanted the trigger to fire based on the user’s surname and the last name field in the source system was called users_last_name you would enter the value "users_last_name" in this field.

  • Comparison: Tells the trigger how to evaluate the value of the users. Attribute in the source system compared to the Value specified on the trigger. Available options are: contains, matches, ends with, in, or equals. Below is a breakdown of each Comparison type:

    • contains: The specified character sequence in Value is contained within the attributes value returned from the source. For example, given an attribute value of "John" from the source the contains Comparison would set the trigger to True if the trigger Value was set to "Jo" and False if the trigger Value was "Joy".
    • matches: The Value on the trigger is treated as a python regular expression and does an Regular expression match (re.match) (with case ignore on) between the specified Value and the value returned from the source system. For example, if the trigger’s Value was "Jo" the trigger would return True if the value from the source was "John" or "Joanne" or any other value which matched the regular expression "Jo". The trigger would return False if the sources value for the attribute was "Dan" because "Dan" does not match the regular expression "Jo".
    • ends with: The trigger will see if the value provided by the source ends with the specified Value of the trigger. For example, if the source provided a value of "John" the trigger would be True if its Value was set to "n" or "on". The trigger would be False if its Value was set to "z" because the value "John" coming from the source does not end with the value "z" specified by the trigger.
    • equal: The trigger will see if the value provided by the source is equal to (in its entirety) the specified Value of the trigger. For example, if the source returned the value "John", the trigger would be True if its Value was set to "John". Any value other than "John" returned from the source would set this trigger to False.
    • in: The in condition checks if the value matches one of several values. When in is specified as the Comparison, the Value field can be a comma-separated list. For example, if a trigger had a Value of "John,Donna" the trigger would be True if the attribute coming from the source had either the value "John" or "Donna". Otherwise, the trigger would be False.

    • Value: The value that a users attribute will be matched against based on the Comparison field. See examples in the Comparison definition.

      Note

      If the Comparison type is in, this field can be a comma-separated list (without spaces).

2.7.4. Authenticator map examples
Copy link

Use the following examples to explore the different conditions, such as groups and attribute values you can implement to control user access to the platform.

Add users to an organization based on an attribute

In this example, you will add a user to the Networking organization if they have an Organization attribute with the value of Networking:

Add users to an organization mapping example fully annotated with callout numbers that correlate with the following list that describes the function of each field
  1. The Organization title of the page indicates that you are configuring settings permissions on an organization.
  2. Network Organization is entered in this field and is the unique, descriptive name for this map configuration.
  3. Attributes is selected from the Trigger list to configure authentication based on an attribute from the source system, which in this example is Organization.
  4. The operation is defined as or meaning that at least one condition must be true for authentication to succeed.
  5. The Attribute coming from the source system is Organization.
  6. The Comparison value is set to matches which means that when a user has the attribute Value of Networking, they are added to the Networking organization.
  7. The attribute Value coming from the source system is Networking.
  8. The name of the Organization to which you are adding members is Networking.
  9. Users are added to the Networking organization with the Organization Member role.

Add users to a team based on the users group

In this example, you will add user to the Apple team if they have either of the following groups: 

cn=administrators,ou=aap,ou=example,o=com

or 

cn=operators,ou=aap,ou=example,co=com
Add user to a team mapping example

Do not escalate privileges

In this example, you never escalate users to a superuser. But note, this rule does not revoke a user’s superuser permission because the revoke option is not set.

Do not escalate privileges mapping example

Escalate privileges based on a user having a group

In this example, you escalate user privileges to superuser if they belong to the following group: 

cn=administrators,ou=aap
Escalate privileges mapping example

Using mapping order to create exceptions

Since maps are executed in order, it is possible to create exceptions. Expanding on the previous example for Do not escalate privileges, you can add another rule with a higher order, such as, Escalate privileges.

The first rule (Do not escalate privileges) prevents any user from being escalated to a superuser, but the second rule (Escalate privileges) alters that decision to grant superuser privileges to a user if they are in the Administrators group.

Mapping order example

2.7.5. Allow mapping
Copy link

With allow mapping, you can control which users have access to the system by defining the conditions that must be met.

Procedure

  1. After configuring the authentication details for your authentication method, select the Mapping tab.
  2. Select Allow from the Add authentication mapping list.
  3. Enter a unique rule Name to identify the rule.
  4. Select a Trigger from the list. See Authenticator map triggers for more information about map triggers.
  5. Select Revoke to deny user access to the system when the trigger conditions are not matched.
  6. Click Next.

2.7.6. Organization mapping
Copy link

You can control which users are placed into which Ansible Automation Platform organizations based on attributes such as their username and email address or based on groups provided from an authenticator.

When organization mapping is positively evaluated, a specified organization is created, if it does not exist if the authenticator tied to the map is allowed to create objects.

Procedure

  1. After configuring the authentication details for your authentication method, select the Mapping tab.
  2. Select Organization from the Add authentication mapping list.
  3. Enter a unique rule Name to identify the rule.
  4. Select a Trigger from the list. See Authenticator map triggers for more information about map triggers.
  5. Select Revoke to remove the user’s access to the selected organization role when the trigger conditions are not matched.
  6. Select the Organization to which matching users are added or blocked.
  7. Select a Role to be applied or removed for matching users (for example, Organization Admin or Organization Member).
  8. Click Next.

2.7.7. Team mapping
Copy link

Team mapping is the mapping of team members (users) from authenticators.

You can define the options for each team’s membership. For each team, you can specify which users are automatically added as members of the team and also which users can administer the team.

You can specify Team mappings separately for each account authentication.

When Team mapping is positively evaluated, a specified team and its organization are created, if they do not exist if the related authenticator is allowed to create objects.

Important

When configuring team mappings with an Attribute trigger, use the or operation. The and operation requires every single value in a list to match the comparison criteria for the trigger to be successful. This is rarely the intended behavior, as you typically want a match on at least one value in the list.

Procedure

  1. After configuring the authentication details for your authentication method, select the Mapping tab.
  2. Select Team from the Add authentication mapping list.
  3. Enter a unique rule Name to identify the rule.
  4. Select a Trigger from the list. See Authenticator map triggers for more information about map triggers.
  5. Select Revoke to remove the user’s access to the selected organization role and deny user access to the system when the trigger conditions are not matched.
  6. Select the Team and Organization to which matching users are added or blocked.
  7. Select a Role to be applied or removed for matching users (for example, Team Admin or Team Member).
  8. Click Next.

2.7.8. Role mapping
Copy link

Role mapping is the mapping of a user either to a global role, such as Platform Auditor, or team or organization role.

When a Team or Organization is specified together with the appropriate Role, the behavior is the same with Organization mapping or Team mapping.

You can specify role mapping separately for each account authentication.

Procedure

  1. After configuring the authentication details for your authentication method, select the Mapping tab.
  2. Select Role from the Add authentication mapping list.
  3. Enter a unique rule Name to identify the rule.
  4. Select a Trigger from the list. See Authenticator map triggers for more information about map triggers.
  5. Select Revoke to remove the role for the user when none of the trigger conditions are matched.
  6. Select a Role to be applied or removed for matching users.
  7. Click Next.

2.7.9. Superuser mapping
Copy link

Superuser mapping is the mapping of a user to the superuser role, such as System Administrator.

Procedure

  1. After configuring the authentication details for your authentication method, select the Mapping tab.
  2. Select Superuser from the Add authentication mapping list.
  3. Enter a unique rule Name to identify the rule.
  4. Select a Trigger from the list. See Authenticator map triggers for more information about map triggers.
  5. Select Revoke to remove the superuser role from the user when none of the trigger conditions are matched.
  6. Click Next.

2.7.10. Reviewing authenticator map results
Copy link

Platform administrators can review authenticator map evaluation results through the user API endpoint.

The results show how the maps are processed during the user’s login: 

api/gateway/v1/users/X

Platform gateway supports a Jinja-like templating syntax in authenticator maps to dynamically assign users to organizations, teams, and roles. The syntax that can be used in a map is {% for_attr_value(<attribute_name>) %}. This causes platform gateway to iterate over attribute values from an external provider, creating a separate mapping for each value.

Example 1: Single attribute

An Organization authenticator map is created with the following configuration:

  • Organization field: Enter Org {% for_attr_value(users_orgs) %}.
  • Attribute value: Enter users_orgs.
  • External data received: ["Database", "Networking"] (The attribute values returned by the Identity Provider)

This results in the authenticator map being evaluated twice, once for Org Database and once for Org Networking.

Example 2: Multiple attributes

Additionally, you can also use this syntax more than once in a single attribute map. For example, having a syntax like Organization {% for\_attr\_value(org) %} \- Department {% for attr\_value(dept) %} with attributes org having the values a and b and dept having the values Y and Z results in the map being run 4 times with the values:

  • Organization a \- Department Y
  • Organization a \- Department Z
  • Organization b \- Department Y
  • Organization b \- Department Z

Procedure

  1. From the navigation panel, select Access ManagementAuthentication Methods.
  2. Select your authenticator from the list.
  3. Select the Mapping tab and click Create mapping.
  4. In Authentication mapping, choose the appropriate mapping type: Organization, Team, or Role.
  5. In the Trigger field, select Attributes.

  6. In the corresponding field, such as the Organization field for an Organization map, enter the Jinja-like syntax to dynamically generate the name.

    • For example, to create an organization name based on an attribute called users_orgs, enter Org {% for_attr_value(users_orgs) %}.
  7. In the Attribute field, specify the name of the attribute from your external provider that has values you want to loop through, such as users_orgs.
  8. Complete any other required fields for the mapping, see Authenticator map triggers for more information.

  9. Click Create mapping. Platform gateway uses this template to create and manage user assignments based on the values of the specified attribute.

    Note

    The system raises a validation error if the templating syntax is mistyped and the new authenticator map is not created. During an authentication, if the external provider does not provide the specified attribute or the user does not have values associated with the attribute specified by the Jinja syntax the map is triggered and a message indicating why is put into the platform gateway logs.

After you have configured your authentication settings, you can view a list of authenticators, search, sort and view the details for each authenticator configured on the system.

2.8.1. Authentication list view
Copy link

On the Authentication Methods page, you can view and manage the configured authentication methods for your organization.

Procedure

  1. From the navigation panel, select Access ManagementAuthentication Methods.

    The Authentication Methods page is displayed.

  2. Click Create authentication and follow the steps for creating an authentication method in Configuring an authentication type. Otherwise, proceed to step 3.
  3. From the menu bar, you can sort the list of authentication methods by using the arrows in the menu bar for Order, Name and Authentication type.
  4. Click the toggles to Enable or Disable authenticators.

2.8.2. Searching for an authenticator
Copy link

You can search for a previously configured authenticator from the Authentication list view.

Procedure

  1. From the navigation panel, select Access ManagementAuthentication Methods.
  2. In the search bar, enter an appropriate keyword for the authentication method you want to search for and click the arrow icon.
  3. If you do not find what you are looking for, you can narrow your search. From the filter list, select Name or Authentication type depending on the search term you want to use.
  4. Scroll through the list of search results and select the authenticator you want to review.

2.8.3. Displaying authenticator details
Copy link

After you locate the authenticator you want to review, you can display the configuration details:

Procedure

  1. From the navigation panel, select Access ManagementAuthentication Methods.

  2. In the list view, select the authenticator name displayed in the Name column.

    The authenticator Details page is displayed.

  3. From the Details page, you can review the configuration settings applied to the authenticator.

2.8.4. Editing an authenticator
Copy link

You can change the settings of previously configured authenticators from the Authentication list view.

Procedure

  1. From the navigation panel, select Access ManagementAuthentication Methods.

  2. In the list view, you can either:

    1. Select the Edit Edit icon next to authenticator you want to modify, or
    2. Select the authenticator name displayed in the Name column and click Edit authenticator from the Details page.
  3. Change the authentication details or mapping configurations as required.
  4. Click Save.

2.8.5. Deleting an authenticator
Copy link

You can change the settings of previously configured authenticators from the Authentication list view.

Procedure

  1. From the navigation panel, select Access ManagementAuthentication Methods.
  2. In the list view, select the checkbox next to the authenticator you want to delete.

  3. Select Delete authentication from the list.

    Note

    You can delete many authenticators by selecting the checkbox next to each authenticator you want to remove, and clicking Delete selected authentication from the list on the menu bar.

In a Google Cloud Platform (GCP) environment, a high volume of traffic can lead to authentication and performance issues because of the low default port limit set on the GCP Cloud NAT gateway. While this configuration affects all GCP deployments, the highest risk for hitting this limit occurs when Ansible Automation Platform is deployed on OpenShift (version 4.17 and above).

The default setting for the Cloud NAT gateway’s Minimum ports per VM instance in OpenShift installations on GCP (version 4.17 and above) is 64. This low port limit can be quickly exhausted when platform gateway handles concurrent external network connections, such as Single Sign-On (SSO) requests. When the limit is reached, it prevents new outgoing connections, causing authentication failures or severe performance degradation.

2.8.6.1. Increasing the minimum ports
Copy link

To address this limitation, manually increase the Minimum ports per VM instance setting for the Cloud NAT gateway associated with the worker nodes.

Use the Google Cloud Console to apply this workaround.

Procedure

  1. Go to the Cloud NAT service.
  2. Locate and select the NAT gateway configured for your OpenShift cluster’s worker nodes.

  3. Increase the default value of 64 for the Minimum ports per VM instance setting to a higher value to accommodate your anticipated traffic volume.

    Increasing this limit ensures enough available ports for external communication, reducing the likelihood of performance issues during high-volume authentication and external communication tasks.

Token-based authentication permits authentication of third-party tools and services with the platform through integrated OAuth 2 token support. Ansible Automation Platform utilizes both OAuth Tokens and Personal Access Tokens (PATs).

OAuth Tokens
OAuth Tokens are tied to specific applications and allow applications to access data without disclosing user login information.
Personal Access Tokens
PATs are personal to a user and not tied to a specific application. They are created directly by a user for their own use.

The default expiration for access tokens has been updated from 1000 years to 1 year. This change ensures frequent token rotation for increased credential security.

Note

Access tokens in controller 2.4 and previous versions of the platform gateway were valid for 1000 years. Any existing tokens created before the 2.5.20250604 patch release will retain a 1000 year expiration.

You can customize this setting to meet your specific requirements by modifying the expiration time in your settings.py file as follows: 

OAUTH2_PROVIDER__ACCESS_TOKEN_EXPIRE_SECONDS = 31536000

For more information about the settings.py file and how it can be used to configure aspects of the platform, see settings.py in Operating Ansible Automation Platform.

For more information about the OAuth2 specification, see The OAuth 2.0 Authorization Framework.

For more information about using the manage utility to create tokens, see Token and session management.

3.1. Manage OAuth applications
Copy link

Create and configure token-based authentication for external applications such as ServiceNow and Jenkins. With token-based authentication, external applications can easily integrate with Ansible Automation Platform.

Important

Automation controller OAuth applications on the platform UI are not supported for 2.4 to 2.5 migration. See this Knowledgebase article for more information.

As a platform administrator, you can configure a custom external application URL within the platform, providing seamless integration with external services. This functionality is currently available as a Technology Preview. Once configured, the external application URL is displayed in the platform UI navigation panel, providing users with easy access to the application. This feature streamlines workflows by ensuring quick access to external services from within the platform UI.

Note

Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

With OAuth 2 you can use tokens to share data with an application without disclosing login information. You can configure these tokens as read-only.

You can create an application that is representative of the external application you are integrating with, then use it to create tokens for the application to use on behalf of its users.

Associate these tokens with an application resource to manage all tokens issued for a particular application. By separating the issue of tokens under OAuth Applications, you can revoke all tokens based on the application without having to revoke all tokens in the system.

3.1.1. Getting started with OAuth Applications
Copy link

You can access the OAuth Applications page from the navigation panel by selecting Access ManagementOAuth Applications. From there you can view, create, sort and search for applications currently managed by Ansible Automation Platform and automation controller.

If no applications exist, you can create one by clicking Create OAuth application.

Access rules for applications are as follows:

  • Platform administrators can view and manipulate all applications in the system.
  • Platform auditors can only view applications in the system.
  • Tokens are resources used to authenticate incoming requests and mask the permissions of the underlying user.

Access rules for tokens are as follows:

  • Users can create personal access tokens for themselves.
  • Platform administrators are able to view and manipulate every token in the system.
  • Platform auditors can only view tokens in the system.
  • Other normal users are only able to view and manipulate their own tokens.
Note

Users can only view the token or refresh the token value at the time of creation.

3.1.1.1. Application functions
Copy link

Several OAuth 2 utilities are available for authorization, token refresh, and revoke. You can specify the following grant types when creating an application:

Password
This grant type is ideal for users who have native access to the web application and must be used when the client is the resource owner.
Authorization code
This grant type should be used when access tokens must be issued directly to an external application or service.
Note

You can only use the authorization code type to acquire an access token when using an application. When integrating an external web application with Ansible Automation Platform, that web application might need to create OAuth2 tokens on behalf of users in that other web application. Creating an application in the platform with the authorization code grant type is the preferred way to do this because:

  • This allows an external application to obtain a token from Ansible Automation Platform for a user, using their credentials.
  • Compartmentalized tokens issued for a particular application enables those tokens to be easily managed. For example, revoking all tokens associated with that application without having to revoke all tokens in the system.

The default expiration for access tokens is 1 year.

The best way to set up application integrations by using the Authorization code grant type is to allowlist the origins for those cross-site requests. More generally, you must allowlist the service or application you are integrating with the platform, for which you want to provide access tokens.

To do this, have your administrator add this allowlist to their local Ansible Automation Platform settings file: 

CORS_ORIGIN_ALLOW_ALL = True
CORS_ALLOWED_ORIGIN_REGEXES = [
    r"http://django-oauth-toolkit.herokuapp.com*",
    r"http://www.example.com*"
]

Where http://django-oauth-toolkit.herokuapp.com and http://www.example.com are applications requiring tokens with which to access the platform.

During the upgrade from Ansible Automation Platform 2.4 to 2.6, there are important changes to how OAuth2 applications and tokens are managed. Ansible Automation Platform now uses platform gateway OAuth applications and deprecates automation controller OAuth applications.

  • Automation controller OAuth applications: You can view and edit existing automation controller applications, but new ones can no longer be created. These legacy applications continue to function, but they might be removed in a future release. Plan to migrate to platform gateway OAuth applications.
  • Automation controller tokens: Automation controller personal access tokens (PATs), are also deprecated. Guide users to move to platform gateway PATs.
  • Platform gateway OAuth applications and tokens: Platform applications and tokens offer an updated interface and are the standard for future use. Move to these applications and tokens.
3.1.1.3. Manage OAUTH2_PROVIDER settings
Copy link

The OAUTH2_PROVIDER settings from automation controller are managed by platform gateway after upgrading from 2.4. to 2.6. The default token expiration values might differ between automation controller and platform gateway.

  • The default access token expiration is updated from 1,000 years to 1 year. This change increases credential security through more frequent token rotation.

  • Platform gateway’s default OAUTH2_PROVIDER settings are: 

    {
  "ACCESS_TOKEN_EXPIRE_SECONDS": 31536000000,
  "REFRESH_TOKEN_EXPIRE_SECONDS": 2628000,
  "AUTHORIZATION_CODE_EXPIRE_SECONDS": 600
}

    If you previously set a token expiration shorter than one year, you must manually update the platform gateway settings to match your required configuration.

3.1.2. Creating a new application
Copy link

When integrating an external web application with Ansible Automation Platform, the web application might need to create OAuth2 tokens on behalf of users of the web application.

Creating an application with the Authorization Code grant type is the preferred way to do this for the following reasons:

  • External applications can obtain a token for users, using their credentials.
  • Compartmentalized tokens issued for a particular application, enables those tokens to be easily managed. For example, revoking all tokens associated with that application.

Procedure

  1. From the navigation panel, select Access ManagementOAuth Applications.
  2. Click Create OAuth application. The Create Application page opens.

  3. Enter the following details:

    Name
    (required) Enter a name for the application you want to create.
    URL
    (optional) Enter the URL of the external application. This link is added to the navigation panel for easy access. This setting is currently offered as a Technology Preview only.
    Description
    (optional) Include a short description for your application.
    Organization
    (required) Select an organization with which this application is associated.
    Authorization grant type
    (required) Select one of the grant types to use for the user to get tokens for this application. For more information, see Application functions for more information about grant types.
    Client Type
    (required) Select the level of security of the client device.
    Redirect URIS
    Provide a list of allowed URIs, separated by spaces. You need this if you specified the grant type to be Authorization code.

  4. Click Create OAuth application, or click Cancel to abandon your changes.

    The Client ID and Client Secret display in a window. This will be the only time the client secret will be shown.

    Note

    The Client Secret is only created when the Client type is set to Confidential.

  5. Click the copy icon and save the client ID and client secret to integrate an external application with Ansible Automation Platform.

3.2. Adding tokens
Copy link

You can view a list of users that have tokens to access an application by selecting the Tokens tab in the OAuth Applications details page.

Note

You can only create OAuth 2 Tokens for your own user, which means you can only configure or view tokens from your own user profile.

When authentication tokens have been configured, you can select the application to which the token is associated and the level of access that the token has.

Procedure

  1. From the navigation panel, select Access ManagementUsers.
  2. Select the username for your user profile to configure OAuth 2 tokens.

  3. Select the Tokens tab.

    When no tokens are present, the Tokens screen prompts you to add them.

  4. Click Create token to open the Create Token window.

  5. Enter the following details:

    Application

    Enter the name of the application with which you want to associate your token. Alternatively, you can search for it by clicking Browse. This opens a separate window that enables you to choose from the available options. Select Name from the filter list to filter by name if the list is extensive.

    Note

    To create a Personal Access Token (PAT) that is not linked to any application, leave the Application field blank.

    Description
    (optional) Provide a short description for your token.
    Scope

    (required) Specify the level of access you want this token to have. The scope of an OAuth 2 token can be set as one of the following:

    • Write: Allows requests sent with this token to add, edit and delete resources in the system.
    • Read: Limits actions to read only. Note that the write scope includes read scope.

  6. Click Create token, or click Cancel to abandon your changes.

    The Token information is displayed with Token and Refresh Token information, and the expiration date of the token. This will be the only time the token and refresh token will be shown. You can view the token association and token information from the list view.

  7. Click the copy icon and save the token and refresh token for future use.

Verification

You can verify that the application now shows the user with the appropriate token by using the Tokens tab on the Applications details page.

  1. From the navigation panel, select Access ManagementOAuth Applications.
  2. Select the application you want to verify from the Applications list view.

  3. Select the Tokens tab.

    Your token should be displayed in the list of tokens associated with the application you chose.

3.2.1. Application token functions
Copy link

The refresh and revoke functions associated with tokens, for tokens at the /o/ endpoints can currently only be carried out with application tokens.

3.2.1.1. Refresh an existing access token
Copy link

The following example shows an existing access token with a refresh token provided: 

{
    "id": 35,
    "type": "access_token",
    ...
    "user": 1,
    "token": "omMFLk7UKpB36WN2Qma9H3gbwEBSOc",
    "refresh_token": "AL0NK9TTpv0qp54dGbC4VUZtsZ9r8z",
    "application": 6,
    "expires": "2017-12-06T03:46:17.087022Z",
    "scope": "read write"
}

The /o/token/ endpoint is used for refreshing the access token: 

curl -X POST \
    -d "grant_type=refresh_token&refresh_token=AL0NK9TTpv0qp54dGbC4VUZtsZ9r8z" \
    -u "gwSPoasWSdNkMDtBN3Hu2WYQpPWCO9SwUEsKK22l:fI6ZpfocHYBGfm1tP92r0yIgCyfRdDQt0Tos9L8a4fNsJjQQMwp9569eIaUBsaVDgt2eiwOGe0bg5m5vCSstClZmtdy359RVx2rQK5YlIWyPlrolpt2LEpVeKXWaiybo" \
    http://<gateway>/o/token/ -i

Where refresh_token is provided by refresh_token field of the preceding access token.

The authentication information is of format <client_id>:<client_secret>, where client_id and client_secret are the corresponding fields of the underlying related application of the access token.

Note

The special OAuth 2 endpoints only support using the x-www-form-urlencoded Content-type, so as a result, none of the /o/* endpoints accept application/json.

On success, a response displays in JSON format containing the new (refreshed) access token with the same scope information as the previous one: 

HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Tue, 05 Dec 2017 17:54:06 GMT
Content-Type: application/json
Content-Length: 169
Connection: keep-alive
Content-Language: en
Vary: Accept-Language, Cookie
Pragma: no-cache
Cache-Control: no-store
Strict-Transport-Security: max-age=15768000

{"access_token": "NDInWxGJI4iZgqpsreujjbvzCfJqgR", "token_type": "Bearer", "expires_in": 315360000000, "refresh_token": "DqOrmz8bx3srlHkZNKmDpqA86bnQkT", "scope": "read write"}

The refresh operation replaces the existing token by deleting the original and then immediately creating a new token with the same scope and related application as the original one.

Verify that the new token is present and the old one is deleted in the api/gateway/v1/tokens/ endpoint.

3.2.1.2. Revoke an access token
Copy link

You can revoke an access token by deleting the token in the platform UI, or by using the /o/revoke-token/ endpoint.

Revoking an access token by this method is the same as deleting the token resource object, but it enables you to delete a token by providing its token value, and the associated client_id (and client_secret if the application is confidential). For example: 

curl -X POST -d "token=rQONsve372fQwuc2pn76k3IHDCYpi7" \
-u "gwSPoasWSdNkMDtBN3Hu2WYQpPWCO9SwUEsKK22l:fI6ZpfocHYBGfm1tP92r0yIgCyfRdDQt0Tos9L8a4fNsJjQQMwp9569eIaUBsaVDgt2eiwOGe0bg5m5vCSstClZmtdy359RVx2rQK5YlIWyPlrolpt2LEpVeKXWaiybo" \
http://<gateway>/o/revoke_token/ -i
Note
  • The special OAuth 2 endpoints only support using the x-www-form-urlencoded Content-type, so as a result, none of the /o/* endpoints accept application/json.
  • The Allow External Users to Create Oauth2 Tokens (ALLOW_OAUTH2_FOR_EXTERNAL_USERS in the API) setting is disabled by default. External users refer to users authenticated externally with a service such as LDAP, or any of the other SSO services. This setting ensures external users cannot create their own tokens. If you enable then disable it, any tokens created by external users in the meantime will still exist, and are not automatically revoked. This setting can be configured from the SettingsPlatform gateway menu.

You can also revoke OAuth2 tokens by using the manage utility, see Revoke oauth2 tokens.

On success, a response of 200 OK is displayed. Verify the deletion by checking whether the token is present in the api/gateway/v1/tokens/ endpoint.

3.2.2. Token and session management
Copy link

Ansible Automation Platform supports the following commands for OAuth2 token management:

3.2.2.1. create_oauth2_token
Copy link

Use the following command to create OAuth2 tokens (specify the username for example_user): 

$ aap-gateway-manage create_oauth2_token --user example_user

New OAuth2 token for example_user: j89ia8OO79te6IAZ97L7E8bMgXCON2

Ensure that you give a valid user when creating tokens. Otherwise, an error message that you attempted to issue the command without specifying a user, or supplied a username that does not exist, is displayed.

3.2.2.2. revoke_oauth2_tokens
Copy link

Use this command to revoke OAuth2 tokens, both application tokens and personal access tokens (PAT). It revokes all application tokens (but not their associated refresh tokens), and revokes all personal access tokens. However, you can also specify a user for whom to revoke all tokens.

To revoke all existing OAuth2 tokens use the following command: 

$ aap-gateway-manage revoke_oauth2_tokens

To revoke all OAuth2 tokens and their refresh tokens use the following command: 

$ aap-gateway-manage revoke_oauth2_tokens --revoke_refresh

To revoke all OAuth2 tokens for the user with id=example_user (specify the username for example_user): 

$ aap-gateway-manage revoke_oauth2_tokens --user example_user

To revoke all OAuth2 tokens and refresh token for the user with id=example_user: 

$ aap-gateway-manage revoke_oauth2_tokens --user example_user --revoke_refresh
3.2.2.3. cleartokens
Copy link

Use this command to clear tokens which have already been revoked.

For more information, see cleartokens in Django’s Oauth Toolkit documentation.

3.2.2.4. clearsessions
Copy link

Use this command to delete all sessions that have expired.

For more information, see Clearing the session store in Django’s Oauth Toolkit documentation.

For more information about OAuth2 token management in the UI, see the Applications.

3.2.3. Personal Access Token migration
Copy link

After upgrading to Ansible Automation Platform 2.6, Personal Access Tokens (PATs) from a 2.4 automation controller remain functional. They are visible in the platform gateway UI and you can use them with both automation controller and platform gateway APIs.

Managing automation controller tokens

After the upgrade, you can perform the following actions with your automation controller tokens:

  • Platform gateway UI: You can edit or delete the tokens, but you cannot create or refresh them.
  • Automation controller API: You can create, edit, delete, or refresh the tokens.

Tokens are labeled in the UI to indicate if they are automation controller only or platform gateway. Platform gateway tokens are unaffected by these requirements, other than being rendered in the UI with a platform type.

Red Hat Ansible Automation Platform is designed with a default security posture that prevents users authenticated through external providers, such as LDAP, SAML, or SSO, from creating OAuth2 tokens for programmatic API access. When an external user tries to generate such a token, the following message is displayed: 403: Forbidden' error with the message: '(access_denied) OAuth2 Tokens cannot be created by users associated with an external authentication provider.

This default behavior is a deliberate security measure. Ansible Automation Platform prioritizes centralized control over token generation, which encourages administrators to select the appropriate method for enabling OAuth 2.0 user token generation for external authentication providers.

It is important to understand that an OAuth2 token is created within Ansible Automation Platform, and Ansible Automation Platform itself manages its lifecycle, including its expiration. This lifecycle is independent of the user’s session with their external Identity Provider (IdP). For example, if a user generates an Ansible Automation Platform token and their account is later disabled in the external IdP, the Ansible Automation Platform token remains valid until it expires or is manually revoked. Being aware of this interaction is crucial for a secure configuration, as it highlights the need for compensating controls if you enable token creation for external users.

To enable external users to create OAuth2 tokens, change the appropriate setting in your Ansible Automation Platform environment. Ensure the implementation of compensating security controls after enabling this setting.

Procedure

  1. From the navigation panel, go to SettingsPlatform gateway.
  2. Click Edit platform gateway settings.
  3. Change the Allow external users to create OAuth2 tokens setting to Enabled.
  4. Click Save platform gateway settings.

Next steps

Implement the recommended security controls as described in Implementing security controls for external user OAuth2 tokens.

After enabling OAuth2 token creation for external users, implement the following compensating controls to keep a strong security posture.

Procedure

  • Limit token lifetime: Configure a shorter duration for OAuth2 tokens to reduce the window of exposure.

    • In your Ansible Automation Platform settings, adjust the OAUTH2_ACCESS_TOKEN_EXPIRE_SECONDS value. A value of 28800 (8 hours) is recommended, limiting token validity to a standard workday.

  • Enforce strict role-based access control (RBAC): Grant users only the minimum necessary permissions.

    • Assign users who create tokens to Teams with highly restrictive roles. Avoid granting broad permissions that could lead to privilege escalation.
  • Establish a clear offboarding process: Integrate token revocation into your organizational offboarding procedures. Your HR and IT offboarding processes must include a step for an Ansible Automation Platform administrator to revoke all active tokens for a departing user. Tokens can be manually revoked from the user’s profile under the Tokens tab.
  • Audit and monitor: Regularly review token-related activities for legitimacy in the Activity Stream.

Role-based access control (RBAC) restricts user access based on the user’s role within the organization they are assigned to in Ansible Automation Platform. The roles in RBAC refer to the levels of access that users have to Ansible Automation Platform components and resources.

You can control what users can do with the components of Ansible Automation Platform at a broad or granular level depending on your RBAC policy. You can choose whether the user is a system administrator or normal user and align roles and access permissions with their positions within the organization.

You can define roles with multiple permissions that can then be assigned to resources, teams, and users. The permissions that make up a role govern what the assigned role allows. Permissions are allocated with only the access needed for a user to perform the tasks appropriate for their role.

Important

When managing users, teams, and organizations, use the Unified UI or the platform gateway API to ensure real-time synchronization across all platform components, including Event-Driven Ansible controller. If you use the legacy automation controller API, changes can take up to 15 minutes to propagate to Event-Driven Ansible controller, which can result in authentication errors for new users or teams.

4.1. Organizations
Copy link

As an administrator, you can use organizations to organize groups of resources. Assigning a team or user to the organization gives the team or user access to the resources within the organization. This way, administrators no longer have to grant individual teams and users access to new resources as they become available; teams and users gain access to new resources when they are added to the organization.

After you have created an organization, Ansible Automation Platform displays the organization details. You can then manage resources such as access and execution environments for the organization.

Ansible Automation Platform automatically creates a default organization. If you have a self-support level license, you have only the default organization available and must not delete it.

4.1.1. Organizations list view
Copy link

The Organizations page displays the existing organizations for your installation. From here, you can search for a specific organization, filter the list of organizations, or change the sort order for the list.

Procedure

  1. From the navigation panel, select Access ManagementOrganizations.
  2. In the Search bar, enter an appropriate keyword for the organization you want to search for and click the arrow icon.
  3. From the menu bar, you can sort the list of organizations by using the arrows for Name to toggle your sorting preference.
  4. You can also sort the list by selecting Name, Created or Last modified from the Sort list.
  5. You can view organization details by clicking an organization Name on the Organizations page.

4.1.2. Creating an organization
Copy link

Ansible Automation Platform automatically creates a default organization. If you have a self-support level license, you have only the default organization available and cannot delete it.

Procedure

  1. From the navigation panel, select Access ManagementOrganizations.
  2. Click Create organization.

  3. Enter the Name and give a Description for your organization.

    Note

    If automation controller is enabled on the platform, continue with Step 4. Otherwise, proceed to Step 6.

  4. Select the name of the Execution environment or search for one that members of this organization can use to run automation.
  5. Enter the name of the Instance Groups on which to run this organization.
  6. Optional: Enter the Galaxy credentials or search from a list of existing ones.

  7. Select the Max hosts for this organization. The default is 0. When this value is 0, it signifies no limit. If you try to add a host to an organization that has reached or exceeded its cap on hosts, an error message displays: 

    You have already reached the maximum number of 1 hosts allowed for your organization. Contact your System Administrator for assistance.
  8. Click Next.

  9. If you selected more than 1 instance group, you can manage the order by dragging and dropping the instance group up or down in the list and clicking Confirm.

    Note

    The execution precedence is determined by the order in which the instance groups are listed.

  10. Click Next and verify the organization settings.
  11. Click Finish.

4.1.3. Access to organizations
Copy link

You can manage access to an organization by selecting an organization from the Organizations list view and selecting the associated tabs for providing access to Users, Administrators or Teams.

4.1.3.1. Assigning a user to an organization
Copy link

You can give a user with access to an organization, and therefore the resources within the organization, by assigning them to the organization and managing the organization roles associated with the user.

You can view a list of users associated with an organization, along with the roles each user is directly assigned, in the organization’s Users tab. When you manage a user’s organization roles in the Users tab, you can also see how the user was assigned their roles, whether indirectly, through association with a team, or through direct user assignment by an administrator.

Note

If a user is assigned a "team member" role, this likely indicates that they have an indirectly-assigned role. To see a user’s indirectly-assigned roles, click the pencil icon Edit page to view and manage roles, and then click the link labeled View indirectly-assigned organization roles in the page banner.

To assign a user to an organization, the user must already exist. For more information, see Creating a user. To assign roles to a user, the role must already exist. See Creating a role for more information.

Procedure

  1. From the navigation panel, select Access ManagementOrganizations.
  2. From the Organizations list view, select the organization to which you want to add a user.
  3. Click the Users tab, then click Assign Users to add users.
  4. Select one or more users from the list by clicking the checkbox next to the name to add them as members.
  5. Click Next.

  6. Select the roles you want the selected user to have. Scroll down for a complete list of roles.

    Note

    Ensure that you are selecting the desired role within the correct component context, because resources like projects and credentials can be associated with both Automation Execution (automation controller) and Automation Decisions (Event-Driven Ansible).

  7. Click Next to review the roles settings.

  8. Click Finish to apply the roles to the selected users, and to add them as members. The Add roles dialog displays the updated roles assigned for each user.

    Note

    A user with roles associated with an organization loses those roles if they are removed from the organization.

  9. To remove a particular user from the organization, select Remove user from the More Actions list next to the user. This launches a confirmation dialog, asking you to confirm the removal. Note that removing a user from an organization will also remove all organization roles that the user is indirectly assigned from that specific organization.

  10. To manage roles for users in an organization, click the icon next to the user and select Manage roles. You can manage organization roles that are directly assigned to a user by selecting or clearing the checkboxes. Double-check the component column to ensure you are selecting the desired role in the correct component context.

    Tip

    From this screen, you can view, but not manage, indirectly-assigned roles that a user has inherited from a team assignment. To view indirectly-assigned roles, along with the team assignment they originated from, click View indirectly-assigned organization roles link in the banner beneath the page heading. To manage roles indirectly assigned to a user through a team assignment, manage that team’s role assignments or remove the user from that team.

You can add administrators to an organization, which allows them to manage the membership and settings of the organization. For example, they can create new users and teams within the organization, and grant permission to users within the organization. To add an administrator to an organization, the user must already exist.

Procedure

  1. From the navigation panel, select Access ManagementOrganizations.
  2. From the Organizations list view, select the organization to which you want to add a user, administrator, or team.
  3. Click the Administrators tab.
  4. Click Add administrators.
  5. Select the users from the list by clicking the checkbox next to the name to assign the administrator role to them for this organization.
  6. Click Add administrators.

  7. To remove a particular administrator from the organization, select Remove administrator from the More actions ⋮ list next to the administrator name. This launches a confirmation dialog asking you to confirm the removal.

    Note

    If the user has been added as a member to this organization, they will continue to be a member of this organization. However, if they were added to the organization when the administrator assignment was made, they are removed from the organization.

4.1.3.3. Assigning a team to an organization
Copy link

You can give a team access to an organization, and to the resources within that organization, by assigning roles to the team in the organization’s Teams tab. All users who are part of a team assigned to the organization will inherit the team’s organization role assignments.

To assign roles to a team, the team must already exist in the organization. For more information, see Creating a team. To assign roles for a team, the role must already exist. See Creating a role for more information.

Procedure

  1. From the navigation panel, select Access ManagementOrganizations.
  2. From the Organizations list view, select the organization to which you want to assign team access.
  3. Click the Teams tab. If no teams exist, click Create team to create a team and assign it to this organization.
  4. Click Assign roles.

  5. Select the roles you want the selected team to have. Scroll down for a complete list of roles.

    Note

    Ensure that you are selecting the desired role within the correct component context, because resources like projects and credentials can be associated with both Automation Execution (automation controller) and Automation Decisions (Event-Driven Ansible).

  6. Click Next to review the roles settings.
  7. Click Finish to apply the roles to the selected teams. The Assign roles dialog displays the updated roles assigned for each team.

  8. Click Close.

    Note

    A team with associated roles retains them if they are reassigned to another organization.

  9. To manage roles for teams in an organization, click the icon next to the user and select Manage roles.
4.1.3.4. Deleting an organization
Copy link

Before you can delete an organization, you must be an Organization administrator or System administrator. When you delete an organization, the organization, team, users and resources are permanently removed from Ansible Automation Platform.

Note

When you try to delete items that are used by other resources, a message is displayed warning you that the deletion might impact other resources and prompts you to confirm the deletion. Some screens contain items that are invalid or have been deleted previously, and will fail to run.

Procedure

  1. From the navigation panel, select Access ManagementOrganizations.
  2. Click the icon next to the organization you want removed and select Delete organization.

  3. Select the confirmation checkbox and click Delete organizations to proceed with the deletion. Otherwise, click Cancel.

    Note

    You can delete multiple organizations by selecting the checkbox next to each organization you want to remove, and selecting Delete selected organizations from the More actions ⋮ list on the menu bar.

4.1.4. Working with notifiers
Copy link

When automation controller is enabled on the platform, you can review any notifier integrations you have set up and manage their settings within the organization resource.

Procedure

  1. From the navigation panel, select Access ManagementOrganizations.
  2. From the Organizations list view, select the organization whose notifications you want to manage.
  3. Select the Notification tab.
  4. Use the toggles to enable or disable the notifications to use with your particular organization. For more information, see Enable and disable notifications.
  5. If no notifiers have been set up, select Automation ExecutionAdministrationNotifiers from the navigation panel.

Additional resources

4.1.5. Working with execution environments
Copy link

When automation controller is enabled on the platform, you can review any execution environments you have set up and manage their settings within the organization resource.

For more information about execution environments, see Execution environments in the Using automation execution guide.

Procedure

  1. From the navigation panel, select Access ManagementOrganizations.
  2. From the Organizations list view, select the organization whose execution environments you want to manage.
  3. Select the Execution Environments tab.
  4. If no execution environments are available, click Create execution environment to create one. Alternatively, you can create an execution environment from the navigation panel by selecting Automation ExecutionInfrastructureExecution Environments.

  5. Click Create execution environment.

    Note

    After creating a new execution environments, return to Access ManagementOrganizations and select the organization in which you created the execution environment to update the list on that tab.

  6. Select the execution environments to use with your particular organization.

4.2. Teams
Copy link

As an administrator, you can use teams to bulk-assign roles to users that need to share the same access.

A team is a subdivision of an organization that groups users and roles together for specific resources. Teams offer a means to implement role-based access control schemes and delegate responsibilities across organizations by allowing you to grant access to users in bulk. For example, you can grant resource access to a team, and therefore to all the users in the team, rather than granting access to each individual user on the team.

You can create as many teams as needed for your organization. Teams can only be assigned to one organization while an organization can be made up of multiple teams. Each team can be assigned roles, the same way roles are assigned for users. Teams can also scalably assign ownership for credentials, preventing multiple interface click-throughs to assign the same credentials to the same user.

4.2.1. Teams list view
Copy link

The Teams page displays the existing teams for your installation. From here, you can search for a specific team, filter the list of teams by team name or organization, or change the sort order for the list.

Procedure

  1. From the navigation panel, select Access ManagementTeams.
  2. In the Search bar, enter an appropriate keyword for the team you want to search for and click the arrow icon.
  3. From the menu bar, you can sort the list of teams by using the arrows for Name and Organization to toggle your sorting preference.
  4. You can view team details by clicking a team Name on the Teams page.
  5. You can view organization details by clicking the link in the Organization column.

4.2.2. Creating a team
Copy link

You can create new teams, assign an organization to the team, and manage the users and administrators assigned to each team. Users on a team inherit the permissions and roles assigned to the team. To assign a user or administrator to a team, the user must have already been created. See Assigning users to a team or Assigning administrators to a team for more information.

Procedure

  1. From the navigation panel, select Access ManagementTeams.
  2. Click Create team.
  3. Enter a Name and optionally give a Description for the team.

  4. Select an Organization to be associated with this team.

    Note

    Each team can only be assigned to one organization.

  5. Click Create team. The Details page opens, where you can review and edit your team information and access.

4.2.3. Assigning users to a team
Copy link

To assign a user to a team, the user must already have been created. For more information, see Creating a user. Assigning a user to a team adds them as a member only. Use the Roles tab to assign a role that gives users on the team resource access.

New user memberships to a team must be added at the platform level.

Procedure

  1. From the navigation panel, select Access ManagementTeams.
  2. Select the team to which you want to add users.
  3. Select the Users tab.
  4. Select one or more users from the list by clicking the checkbox next to the name to add them as members of this team.
  5. Click Add users.

4.2.4. Removing users from a team
Copy link

You can remove a user from a team from the Team list view.

Procedure

  1. From the navigation panel, select Access ManagementTeams.
  2. Select the team from which you want to remove users.
  3. Select the Users tab.
  4. Click the Remove user icon next to the user you want to remove as a member of the team.

  5. You can delete multiple users by selecting the checkbox next to each user you want to remove, and selecting Remove selected users from the More actions ⋮ list.

    Note

    If the user is a Team administrator, you can remove their membership to the team from the Administrators tab.

  6. A confirmation dialog asking you to confirm the removal will appear. Confirm the removal. Note that removing a user from a team removes all of that team’s role assignments from the user.

4.2.5. Assigning administrators to a team
Copy link

You can assign administrators to a team, which allows them to manage the membership and settings of that team. For example, they can create new users and grant permission to users within the team. To assign an administrator to a team, the administrator must already have been created. For more information, see Creating a user.

Procedure

  1. From the navigation panel, select Access ManagementTeams.
  2. Select the team to which you want to add an administrator.
  3. Select the Administrators tab and click Add administrator(s).
  4. Select one or more users from the list by clicking the checkbox next to the name to add them as administrators of this team.
  5. Click Add administrators.

4.2.6. Assigning roles to a team
Copy link

You can grant a team granular access to specific resources such as inventories, projects, and job templates by assigning the team roles associated with those particular resources. You can also set permissions at the level of the organization from the Organizations view.

Note

Teams cannot be assigned to an organization through role assignment, nor can teams be assigned organization roles from the Teams view. Refer to the steps provided in Adding a team to an organization for detailed instructions on assigning a team to an organization.

Procedure

  1. From the navigation panel, select Access ManagementTeams.
  2. Select the team Name to which you want to add roles.

  3. Select the Roles tab and click Add roles.

    Note

    Ensure that you are selecting the desired role within the correct component context, because resources like projects and credentials can be associated with both Automation Execution (automation controller) and Automation Decisions (Event-Driven Ansible).

  4. Select a Resource type and click Next.
  5. Select the resources that you want to give the team role-based access to and click Next.

  6. Select the roles to apply to the resources and click Next.

    Tip

    If you are selecting more than one role in this step, consider creating a custom role that includes all the permissions for this resource type to give the team the correct access.

  7. Review the settings and click Finish.
  8. The Add roles dialog displays indicating whether the role assignments were successfully applied. Click Close to close the dialog.

4.2.7. Removing roles from a team
Copy link

You can remove roles individually or in bulk.

Procedure

  1. From the navigation panel, select Access ManagementTeams.
  2. Select the team Name from which you want to remove roles.
  3. Select the Roles tab.

  4. To remove a single role, click the minus icon next to the resource and confirm removal on the dialog that is displayed.

    Note

    Ensure that you are selecting the desired role within the correct component context, because resources like projects and credentials can be associated with both Automation Execution (automation controller) and Automation Decisions (Event-Driven Ansible).

  5. To remove roles in bulk, select the checkbox next to each resource you want to remove and click Delete selected roles from the More Actions list on the menu bar, then confirm removal and click Delete role.

4.2.8. Deleting a team
Copy link

Before you can delete a team, you must have team permissions. When you delete a team, the roles that users inherited from that team are revoked.

Procedure

  1. From the navigation panel, select Access ManagementTeams.
  2. To remove a single team, click the minus icon - next to the team and confirm removal on the dialog that is displayed.
  3. To remove teams in bulk, select the checkbox next to each team that you want to remove, then click the More Actions icon and select Delete team.

4.3. Users
Copy link

A user is an individual or entity that can log in to the platform and perform tasks. Users are fundamental units to which roles can be assigned, either directly by an administrator or indirectly through a team.

Note

Ansible Automation Platform automatically creates a default system admin user so they can log in and set up Ansible Automation Platform for their organization. This user cannot be deleted or modified.

You can sort or search the User list by Username, First name, Last name, or Email. Click the arrows in the header to toggle your sorting preference. You can view User type and Email beside the user name on the Users page.

4.3.1. Users list view
Copy link

The Users page displays the existing users for your installation. From here, you can search for a specific user, filter the list of users, or change the sort order for the list.

When user accounts have been migrated to Ansible Automation Platform 2.6 during the upgrade process, these accounts are also displayed in the Users list view. You can see whether these users have administrator privileges by editing the account. See Editing a user for instructions.

Procedure

  1. From the navigation panel, select Access ManagementUsers.
  2. In the Search bar, enter an appropriate keyword for the user you want to search for and click the arrow icon.
  3. From the menu bar, you can sort the list of users by using the arrows for Username, Email, First name, Last name or Last login to toggle your sorting preference.
  4. You can view user details by selecting a Username from the Users list view.

4.3.2. Creating a user
Copy link

You can create three types of users in Ansible Automation Platform:

Normal user
Normal users have read and write access limited to the resources (such as inventory, projects, and job templates) for which that user has been granted the appropriate roles and privileges. Normal users are the default type of user when no other User type is specified.
Ansible Automation Platform Administrator
An administrator (also known as a Superuser) has full system administration privileges, with full read and write privileges over the entire installation. An administrator is typically responsible for managing all aspects of and delegating responsibilities for day-to-day work to various users.
Ansible Automation Platform Auditor
Auditors have read-only capability for all objects within the environment.

Procedure

  1. From the navigation panel, select Access ManagementUsers.
  2. Click Create user.
  3. Enter the details about your new user in the fields on the Create user page. Fields marked with an asterisk (*) are required.

  4. Normal users are the default when no User type is specified. To define a user as an administrator or auditor, select a User type from the drop-down menu.

    Note

    If you are modifying your own password, log out and log back in for the change to take effect.

  5. Select the Organization to be assigned for this user. For information about creating a new organization, see Creating an organization.

  6. Click Create user.

    When the user is successfully created, the User details screen opens. From here, you can review and change the user’s teams, roles, tokens and other membership details.

    Note

    If the user is not newly-created, the details screen displays the user’s last login activity.

Next steps

If you log in as yourself, and view the details of your user profile, you can manage tokens from your user profile by selecting the Tokens tab. For more information, see Adding a token.

4.3.3. Editing a user
Copy link

You can change the properties of a user account after it is created.

To see whether a user had service level auditor privileges, you must refer to the API.

Note

After upgrading to 2.6, users previously designated as automation controller administrators are labeled as platform administrators in the User type column in the Users list view. Automation hub administrators are labeled as Normal in the User Type column.

Procedure

  1. From the navigation panel, select Access ManagementUsers.
  2. Click the Pencil Edit page icon next to the user you want to edit and select Edit user.
  3. The Edit user page is displayed where you can change user details such as Password, Email, User type, and Organization.
  4. After your changes are complete, click Save user.

4.3.4. Deleting a user
Copy link

Before you can delete a user, you must have normal user or system administrator permissions. When you delete a user account, the name and email of the user are permanently removed from Ansible Automation Platform.

Procedure

  1. From the navigation panel, select Access ManagementUsers.
  2. To delete a single user, select the More Actions icon next to the user you want to remove and select Delete user.
  3. To bulk delete users, select the checkbox next to each user you want to remove, and then from the More Actions list, click Delete users.

4.3.5. Assigning roles to a user
Copy link

You can grant users granular access to specific resources such as inventories, projects, or job templates by assigning users roles.

You can view and manage roles that were assigned directly to a user by an administrator in the user’s Roles tab.

You can view roles that a user inherited from a team assignment in the View indirectly assigned roles link in the page banner. You cannot directly manage an indirectly-assigned role. You can only manage indirectly-assigned roles by editing the team’s role assignments, or by removing the user from the team.

Note

Users cannot be assigned to an organization through role assignment, nor can you assign users organization roles from this screen. Refer to the steps provided in Adding a user to an organization for detailed instructions on assigning a user to an organization.

Roles are labeled with their associated Ansible Automation Platform component and function. These components align with Ansible Automation Platform services and the side navigation structure in the user interface. Component labels can be understood as follows:

  • Automation Execution refers to automation controller
  • Automation Decisions refers to Event-Driven Ansible
  • Automation Content refers to automation hub

When assigning roles, ensure that you are selecting the required resource in the correct component context, because resources such as projects and credentials can be associated with both Automation Execution and Automation Decisions.

Procedure

  1. From the navigation panel, select Access ManagementUsers.
  2. From the Users list view, click the user to which you want to add roles.
  3. Select the Roles tab to display the set of roles assigned to this user. These provide the ability to read, change, and administer resources.

  4. To add new roles, click Add roles.

    Note

    Ensure that you are selecting the desired role within the correct component context, because resources like projects and credentials can be associated with both Automation Execution (automation controller) and Automation Decisions (Event-Driven Ansible).

  5. Select a Resource type and click Next.
  6. Select the resources that you want to give role-based access to and click Next.

  7. Select the roles that will be applied to the resources and click Next.

    Tip

    If you are selecting more than one role, consider creating a custom role that includes all the permissions for this resource type so you can give your users the appropriate level of access.

  8. Review the settings and click Finish. The Add roles dialog displays indicating whether the role assignments were successfully applied. Click Close to close the dialog.

4.3.6. Removing roles from a user
Copy link

You can remove a user’s roles by editing the user information in the Roles tab.

Procedure

  1. From the navigation panel, select Access ManagementUsers.
  2. Select the user name whose role access you want to remove.

  3. Select the Roles tab.

    Note

    Ensure that you are selecting the desired role within the correct component context, because resources like projects and credentials can be associated with both Automation Execution (automation controller) and Automation Decisions (Event-Driven Ansible).

  4. To remove a single role, click the - icon next to the role and confirm removal on the dialog that is displayed.
  5. To remove multiple roles, select the checkbox next to each role you want to remove and click Remove selected roles from the More actions ⋮ list on the menu bar. On the dialog that is displayed, confirm removal of the selected roles and click Remove role.

4.4. Resources
Copy link

You can manage user access to Ansible Automation Platform resources and what users can do with those resources. Users are granted access through the roles they are directly assigned by an administrator, or through roles inherited from a team assignment. Ansible Automation Platform resources differ depending on the functionality you are configuring. For example, resources can be job templates and projects for automation execution or decision environments and rulebook activations for automation decisions.

4.4.1. Providing team access to a resource
Copy link

You can grant users access based on their team membership. When you add a user as a member of a team, they inherit access to the roles and resources defined for that team.

Note

Direct team access cannot be granted to Automation ContentRemote Registries resources.

Procedure

  1. From the navigation panel, click the name of the resource that you want to give a team access to. For example, Automation ExecutionTemplates.
  2. On the details page, select the Team Access tab.
  3. Click Assign Teams.
  4. Click the checkbox beside the team to assign that team access to your chosen resource and click Next.
  5. Select the roles you want applied to the team for the chosen resource and click Next.
  6. Review the settings and click Finish. The Assign Teams dialog displays indicating whether the role assignments were successfully applied.
  7. You can remove resource access for a team by selecting the Remove team icon next to the team. This launches a confirmation dialog, asking you to confirm the removal.

4.4.2. Providing direct user access to a resource
Copy link

You can directly grant users access to resources, and edit their access after it has been granted.

Note

Direct user access cannot be granted to Automation ContentRemote Registries resources.

Procedure

  1. From the navigation panel, select a resource that you want to give a team access to. For example, Automation ExecutionTemplates.
  2. Select the User access tab.
  3. Click Assign users.
  4. Click the checkbox beside the user to assign that user to your chosen resource and click Next.
  5. Select the roles you want applied to the user for the chosen resource and click Next.
  6. Review the settings and click Finish. The Assign Roles dialog displays indicating whether the role assignments were successfully applied.
  7. You can edit a user’s access to a resource from the User Access tab by clicking the pencil icon Edit page next to the user’s name and adding or removing directly-assigned roles.
  8. You can remove resource access for a user by selecting the Remove role icon next to the user. This launches a confirmation dialog asking you to confirm the removal.

Chapter 5. Roles
Copy link

A role is a group of permissions for specific Red Hat Ansible Automation Platform resources. These permissions govern actions such as viewing, changing, using, executing, or deleting resources such as projects, inventories, credentials, and job templates. When you assign a role to a team or user you are granting them access to manage defined resources within the platform.

Roles define permissions for a specific resource, centralizing all access to that resource through the role itself. This design makes roles reusable units that enable administrators to share defined behaviors among many resources or with different users.

As an administrator, you have the option of using default predefined roles, or you can create roles based on your organization’s needs.

5.1. Displaying roles
Copy link

You can display the roles assigned to each component resource from the Access Management menu.

Roles are labeled with their associated Ansible Automation Platform component and function. These components align with Ansible Automation Platform services and the side navigation structure in the user interface. Component labels can be understood as follows:

  • Automation Execution refers to automation controller
  • Automation Decisions refers to Event-Driven Ansible
  • Automation Content refers to automation hub

Roles created at the level of the organization can be associated with multiple components because they group together permissions from automation controller (Automation Execution) and Event-Driven Ansible (Automation Decisions). Only organization roles can span multiple components.

A similar role entity for Automation Content is a "system" role, which gives access to all of the specified resource types in Automation Content.

Procedure

  1. From the navigation panel, select Access ManagementRoles.
  2. From the table header, you can sort the list of roles by using the arrows for Name, Description, Component, Resource Type, and Role Creation, or by making sort selections in the Sort list.
  3. You can filter the list of roles by selecting Name, Editable, or Component from the filter list and clicking the arrow.

5.2. Creating a role
Copy link

Ansible Automation Platform services provide a set of predefined roles with permissions enough for standard automation tasks. It is also possible to configure custom roles that define access permissions to a resource.

If the default predefined roles for a resource type do not give the necessary permissions, you can create custom roles for an organization. Creating a custom role reduces complexity by consolidating all required permissions into a single assignment per resource or resource type, eliminating the need to assign multiple roles to a user or team.

Procedure

  1. From the navigation panel, select Access ManagementRoles.
  2. Click Create role.
  3. Provide a Name and a short Description for the role. The name and description should be unique and specific to the role’s intended use and permissions to give context when assigning the role.
  4. Select a Resource Type. Ensure that you are selecting the required resource in the correct component context, because resources such as projects and credentials can be associated with both Automation Execution and Automation Decisions.
  5. Select the Permissions you want assigned to this role from the drop-down menu.
  6. Click Create role to create your new role.

5.3. Editing a role
Copy link

Default roles are predefined in the platform and cannot be changed; however, you can modify custom roles from the Roles list view. The Role Creation column in the Roles list view indicates whether a role is a default role that cannot be changed, or a custom role that can be modified.

Procedure

  1. From the navigation panel, select Access ManagementRoles.
  2. Click the Edit role icon Edit next to the role you want and modify the role settings as needed.
  3. Click Save role to save your changes.

5.4. Deleting a role
Copy link

You cannot delete default roles; however, you can delete custom roles from the Roles list view.

Procedure

  1. From the navigation panel, select Access ManagementRoles.
  2. Click the More Actions icon next to the role you want and select Delete role.
  3. To delete roles in bulk, select the roles you want to delete from the Roles list view, click the More Actions icon , and select Delete roles.

You can configure Ansible Automation Platform from the Settings menu by using the following selections:

  • Subscriptions
  • Platform gateway
  • User Preferences
  • Troubleshooting
Note

The other selections available from the Settings menu are specific to automation execution. For more information, refer to the Configuring automation execution guide.

6.1. Configuring subscriptions
Copy link

You can use the Subscription menu to view the details of your subscription, such as compliance, host-related statistics, or expiry, or you can apply a new subscription.

Ansible subscriptions require a service account from console.redhat.com. You must create a service account and use the client ID and client secret to activate your subscription.

Note

If you enter your client ID and client secret but cannot locate your subscription, you might not have the correct permissions set on your service account. For more information and troubleshooting guidance for service accounts, see Configure Ansible Automation Platform to authenticate through service account credentials.

For Red Hat Satellite, input your Satellite username and Satellite password in the fields below.

Procedure

  1. From the navigation panel, select SettingsSubscription. The Subscription page is displayed.
  2. Click Edit subscription.
  3. You can either enter your service account or Satellite credentials, or attach a current subscription manifest in the Welcome page.
  4. Click Next and agree to the terms of the license agreement.
  5. Click Next to review the subscription settings.
  6. Click Finish to complete the configuration.

6.2. Platform gateway
Copy link

Platform gateway is the service that handles authentication and authorization for Ansible Automation Platform. It provides a single ingress into the Platform and serves the Platform’s user interface.

From the SettingsPlatform gateway menu, you can configure Platform gateway, Security, Session, Platform Security, Custom Login, and Other settings.

Procedure

  1. From the navigation panel, select SettingsPlatform gateway.
  2. The Platform gateway settings page is displayed.
  3. To configure the options, click Edit platform gateway settings.

  4. You can configure the following platform gateway options:

    • Platform gateway proxy url: URL to the platform gateway proxy layer.
    • Platform gateway proxy url ignore cert: Ignore the certificate to the platform gateway proxy layer.
  5. Click Save platform gateway settings to save the changes or proceed to configure the other platform options available.

6.2.1. Configuring platform security
Copy link

From the Platform gateway settings page, you can configure platform security settings.

Procedure

  1. From the navigation panel, select SettingsPlatform gateway.
  2. The Platform gateway settings page is displayed.
  3. To configure the options, click Edit.

  4. You can configure the following Security settings:

    • Allow system administrators to set insecure user passwords: Whether a superuser account can save an insecure password when editing any local user account.

    • Gateway basic auth enabled: Enable basic authentication to the platform gateway API.

      Turning this off prevents all basic authentication (local users), so customers need to make sure they have their alternative authentication mechanisms correctly configured before doing so.

      Turning it off with only local authentication configured also prevents all access to the UI.

      Gateway token name: The header name to push from the proxy to the backend service.

    • Gateway access token expiration: How long the access tokens are valid for.

    • Jwt private key: The private key used to encrypt the JWT tokens sent to backend services.

      This should be a private RSA key and one should be generated automatically on installation.

      Note

      Use caution when rotating the key as it will cause current sessions to fail until their JWT keys are reset.

    • (Read only) Jwt public key: The private key used to encrypt the JWT tokens sent to backend services.

      This should be a private RSA key and one should be generated automatically on installation.

      Note

      See other services' documentation on how they consume this key.

      Warning

      If this name is changed, backends must be updated to compensate.

      Social auth username is full email: Enabling this setting alerts social authentication to use the full email as username instead of the full name.

    • Csrf trusted origins: If the service is behind a reverse proxy or load balancer, use this setting to configure the schema://addresses from which the service should trust Origin header values.
  5. Click Save changes to save the changes or proceed to configure the other platform options available.

6.2.2. Configuring platform sessions
Copy link

From the Platform gateway settings page, you can configure platform session settings.

Procedure

  1. From the navigation panel, select SettingsPlatform gateway.
  2. The Platform gateway settings page is displayed.
  3. To configure the options, click Edit platform gateway settings.
  4. Enter the time in seconds before a session expires in the Session cookie age field.
  5. Click Save platform gateway settings to save the changes or proceed to configure the other platform options available.

From the Platform gateway settings page, you can configure a password security policy.

Procedure

  1. From the navigation panel, select SettingsPlatform gateway.
  2. The Platform gateway settings page is displayed.
  3. To configure the options, click Edit platform gateway settings.

  4. You can configure the following Password Security options:

    • Password minimum uppercase letters: How many uppercase characters need to be in a local password.
    • Password minimum length: The minimum length of a local password.
    • Password minimum numerical digits: How many numerical characters need to be in a local password.
    • Password minimum special characters: How many special characters need to be in a local password.
  5. Click Save platform gateway settings to save the changes or proceed to configure the other platform options available.

System administrators can encrypt the database password used by platform gateway and apply it directly to the configuration file, resolving issues related to the SECRET_KEY loading order.

Note

Platform gateway uses the Django framework, which requires the SECRET_KEY to be fully loaded into memory before the decryption function (ansible_encryption.decrypt_string()) is called. If the decryption call runs before the key is loaded, the process fails, preventing platform gateway from accessing the database.

Procedure

  1. Access the command line on the platform gateway node.

  2. Use the aap-gateway-manage shell_plus command to open an interactive Django shell: 

    aap-gateway-manage shell_plus

  3. Inside the shell, run the following commands to import the encryption library, set your password, and generate the encrypted string: 

    >>> from ansible_base.lib.utils.encryption import ansible_encryption
>>> value = 'your-database-password' # REPLACE with your actual password
>>> encrypted_value = ansible_encryption.encrypt_string(value)
>>> print(encrypted_value)
  4. Copy the entire output string starting with $encrypted$. This is your encrypted password.
  5. Exit the shell using quit().

  6. Open the platform gateway configuration file for editing: 

    vi /etc/ansible-automation-platform/gateway/settings.py
  7. Locate the section defining the DATABASES variable. You must insert the code to load the SECRET_KEY before the DATABASES dictionary is defined.

  8. Update the file to include the highlighted code, replacing only the placeholder text for the PASSWORD key with your copied encrypted string: 

    from ansible_base.lib.utils.encryption import ansible_encryption
from django.conf import settings

# ... other configuration settings ...

# The GATEWAY_SECRET_KEY_FILE is typically defined earlier in settings.
# The SECRET_KEY must be loaded before the decryption function is called.
with open(GATEWAY_SECRET_KEY_FILE, 'rb') as f:
    settings.SECRET_KEY = f.read().strip()

DATABASES = {
    'default': {
        'ENGINE': 'django.db.backends.postgresql',
        'HOST': '10.0.108.77', # Example host, use your value
        # ... other database settings ...
        'PASSWORD':
        ansible_encryption.decrypt_string('$encrypted$UTF8$AESCBC$Z0FBQUFBQnBBNU...
        <YOUR_ENCRYPTED_STRING>...QWdPUHM9'),
        # ... other database settings ...
        'PORT': '5432', # Example port, use your value
    }
}
  9. Save and close the file.

  10. Restart platform gateway to load the new encrypted configuration: 

    sudo systemctl restart aap-gateway

Verification

Confirm that platform gateway starts without errors and that you can access the platform UI, which indicates a successful database connection.

6.2.5. Configuring additional platform options
Copy link

Configure extra settings in platform gateway, such as the JWT expiration buffer. Adjusting these options helps ensure continuous token validity and smooth communication between platform services.

Procedure

  1. From the navigation panel, select SettingsPlatform gateway.
  2. The Platform gateway settings page is displayed.
  3. Click Edit platform gateway settings.

  4. You can configure the following Other settings:

    • Jwt expiration buffer in seconds: The number of seconds before a JWT token’s expiration to revoke from the cache.

      When authentication happens a JWT token is created for the user and that token is cached. When subsequent calls happen to services such as automation controller or Event-Driven Ansible, the token is taken from the cache and sent to the service. Both the token and the cache of the token have an expiration time. If the token expires while in the cache the authentication process attempts results in a 401 error (unauthorized). This setting gives Red Hat Ansible Automation Platform a buffer by removing the JWT token from the cache before the token expires. When a token is revoked from cache a new token with a new expiration is generated and cached for the user. As a result, expired tokens from the cache are never used. This setting defaults to 2 seconds. If you have a large latency between platform gateway and your services and observe 401 responses you must increase this setting to lower the number of 401 responses.

    • Status endpoint backend timeout seconds: Timeout (in seconds) for the status endpoint to wait when trying to connect to a backend.
    • Status endpoint backend verify: Specifies whether SSL/TLS certificates of the services are verified when calling individual nodes for statuses.
    • Resource client request timeout: The timeout (in seconds) before the resource client will drop requests after forming connections.
    • Request timeout: Specifies, in seconds, the length of time before the proxy will report a timeout and generate a 504.

    • Manage organization auth: Controls whether any organization administrator has the privileges to create and manage users and teams. You might want to disable this ability if you are using an LDAP or SAML integration.

      Important

      The MANAGE_ORGANIZATION_AUTH setting is moved to platform gateway during an upgrade from Ansible Automation Platform 2.4 to 2.6. However, the values are not automatically synchronized between platform gateway and automation controller after the migration. To prevent administrative issues, keep the MANAGE_ORGANIZATION_AUTH value consistent across both environments, especially if automation workflows run directly against automation controller.

    • Stream idle timeout: Timeout in seconds for idle streaming connections, for example, for the Red Hat Ansible Lightspeed chatbot. Stream is closed if no data is transmitted within this period.
    • Max stream duration: Maximum total duration in seconds for streaming connections, for example, for the Red Hat Ansible Lightspeed chatbot. Stream is closed after this time regardless of activity.
    • Aap deployment type: The deployment type for this Ansible Automation Platform instance.
  5. Click Save platform gateway settings to save the changes or proceed to configure the other platform options available.

6.2.6. Overlapping administrative settings
Copy link

Platform gateway acts as the centralized point for configuration management in Ansible Automation Platform. However, specific operational and administrative settings can exist on both platform gateway and component services, such as automation controller. To prevent issues, especially when workflows or scripts interact directly with the component API, you must manually keep these duplicate settings consistent between the component service and platform gateway.

Effective settings table

The following table clarifies the authoritative source for administrative settings that you can configure in both automation controller and platform gateway.

Expand
Setting name (UI text)API variable namePlatform gateway configuration locationAutomation controller configuration locationSynchronization requirement and notes

Organization Admins Can Manage Users and Teams

MANAGE_ORGANIZATION_AUTH

Settings > Platform gateway

Settings > Automation Execution > System

Keep a consistent value across both systems. The automation controller setting might be used by direct API workflows.

All Users Visible to Organization Admins

ORG_ADMINS_CAN_SEE_ALL_USERS

Settings > Platform gateway

Settings > Automation Execution > System

Keep a consistent value across both systems. Automation controller does not follow gateway settings for this variable; direct API workflows use the controller’s local value.

Allow External Users to Create OAuth2 Tokens

ALLOW_OAUTH2_FOR_EXTERNAL_USERS

Settings > Platform gateway

N/A

Platform gateway is authoritative. Configure this setting in the unified UI or through the gateway API.

To enable external users to create OAuth2 tokens, change the appropriate setting in your Ansible Automation Platform environment. Ensure the implementation of compensating security controls after enabling this setting.

Procedure

  1. From the navigation panel, go to SettingsPlatform gateway.
  2. Click Edit platform gateway settings.
  3. Change the Allow external users to create OAuth2 tokens setting to Enabled.
  4. Click Save platform gateway settings.

Next steps

Implement the recommended security controls as described in Implementing security controls for external user OAuth2 tokens.

6.2.8. Configuring miscellaneous options
Copy link

From the platform gateway settings page, you can configure options for Insights, subscriptions, and notifications.

Procedure

  1. From the navigation panel, select SettingsPlatform gateway.
  2. The Platform gateway settings page is displayed.
  3. To configure the options, click Edit platform gateway settings.

  4. You can configure the following options:

    • Insights tracking state: Enables the service to gather data on automation and send it to Automation Analytics.
    • Red Hat console URL: This setting is used to configure the upload URL for data collection for Automation Analytics.
    • Red Hat password: This password is used to send data to Automation Analytics.
    • Subscriptions password: This password is used to retrieve subscription and content information.
    • Automation analytics gather interval: The maximum number of items allowed on a list page.
    • Notification rss feed url: URL for RSS feeds from which to load user notifications.
    • Notifications rss feed enabled: Enable or disable user notifications

Platform gateway serves as the single entry point for Ansible Automation Platform, unifying the user interface and routing all API traffic to services such as automation controller, Event-Driven Ansible, and automation hub.

The OpenAPI specification provides a standardized, machine-readable definition of the unified API endpoints available through platform gateway. It is essential for external developers and automation engineers building reliable custom integrations.

Key roles of the specification

The OpenAPI specification ensures successful integration by fulfilling the following roles:

  • Enables custom integrations: Developers use the specification to understand endpoint structures, required parameters, and response schemas, which is needed for building custom applications and third-party tools.
  • Ensures API longevity: Integration with the platform gateway API future-proofs custom applications against disruptions that might occur when legacy, direct-access component APIs are retired.

  • Defines core functions: The specification details endpoints that support fundamental operational and administrative functions, including:

    • Platform health, such as /api/gateway/v1/status/.
    • Activity monitoring, such as /api/gateway/v1/activitystream/.
    • Configuration management, such as authentication configuration and role-based access control assignments.

You can download the OpenAPI specification by using the curl command from the schema endpoint.

Prerequisites

Token authentication is the recommended method for programmatic API use.

  1. Create a Personal Access Token (PAT): From the navigation panel, select Access ManagementUsers, select your user, go to the Tokens tab, and click Create token.
  2. Copy the generated token value. Use this value as the <OAUTH2_TOKEN_VALUE> in the following commands.

Procedure

  • Retrieve the OpenAPI specification from the schema endpoint located at https://$AAP_INSTANCE/api/gateway/v1/docs/schema/, using one of the following methods:

    • Get the YAML specification (Default format): To download the specification as a YAML file, run the following command: 

      curl -o "gateway_openapi_spec.yaml" "https://$AAP_INSTANCE/api/gateway/v1/docs/schema/"

    • Get the JSON specification (Optional format): To explicitly request the specification in JSON format, append ?format=json to the URL path and run the following command: 

      curl -o "gateway_openapi_spec.json" "https://$AAP_INSTANCE/api/gateway/v1/docs/schema/?format=json"
      Important

      Replace $AAP_INSTANCE with your Ansible Automation Platform hostname in the commands.

Platform gateway provides an interactive, rendered version of the OpenAPI specification accessible directly in a web browser.

Procedure

  1. Go to the documentation endpoint by using the following URL structure, replacing $AAP_INSTANCE with your hostname: 

    https://$AAP_INSTANCE/api/gateway/v1/docs/
  2. Explore the available API endpoints, view required parameters, and test interactions with the resources exposed by platform gateway.

6.4. User preferences
Copy link

You can use the User preferences page to customize your platform experience. Use this menu to control theming, layout options and formatting.

Note

User preferences are stored locally in your browser. This means that they are unique to you and your machine.

Procedure

  1. From the navigation panel, select SettingsUser Preferences.
  2. The User Preferences page is displayed.
  3. Click Edit.

  4. You can configure the following options:

    • Refresh interval: Select the refresh interval for the page.

      This refreshes the data on the page at the selected interval.

      The refresh happens in the background and does not reload the page.

    • Color theme: Select from:

      • Dark theme
      • Light theme
      • System default

    • Table layout: Select from:

      • Comfortable
      • Compact

    • Form columns: Select from:

      • Multiple columns of inputs
      • Single column of inputs

    • Date format Select from:

      • Shows dates Relative to the current time
      • Shows dates as Date and time
    • Preferred data format: Sets the default format for when editing and displaying data.
  5. Click Save user preferences.

Legal Notice
Copy link

Copyright © Red Hat.
Except as otherwise noted below, the text of and illustrations in this documentation are licensed by Red Hat under the Creative Commons Attribution–Share Alike 3.0 Unported license . If you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, the Red Hat logo, JBoss, Hibernate, and RHCE are trademarks or registered trademarks of Red Hat, LLC. or its subsidiaries in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
XFS is a trademark or registered trademark of Hewlett Packard Enterprise Development LP or its subsidiaries in the United States and other countries.
The OpenStack® Word Mark and OpenStack logo are trademarks or registered trademarks of the Linux Foundation, used under license.
All other trademarks are the property of their respective owners.
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top