AnsiblePilot — Master Ansible Automation

AnsiblePilot is the leading resource for learning Ansible automation, DevOps, and infrastructure as code. Browse over 1,400 tutorials covering Ansible modules, playbooks, roles, collections, and real-world examples. Whether you are a beginner or an experienced engineer, our step-by-step guides help you automate Linux, Windows, cloud, containers, and network infrastructure.

Popular Topics

About Luca Berton

Luca Berton is an Ansible automation expert, author of 8 Ansible books published by Apress and Leanpub including "Ansible for VMware by Examples" and "Ansible for Kubernetes by Example", and creator of the Ansible Pilot YouTube channel. He shares practical automation knowledge through tutorials, books, and video courses to help IT professionals and DevOps engineers master infrastructure automation.

AAP 2.6 SSO Integration: LDAP, SAML, and OIDC Authentication

By Luca Berton · Published 2024-01-01 · Category: windows-automation

Configure Single Sign-On for AAP 2.6 with LDAP, SAML 2.0, and OpenID Connect. Integrate Active Directory, Okta, Azure AD, Keycloak, and RHSSO.

SSO in AAP 2.6

AAP 2.6 introduces the Platform Gateway as the unified authentication entry point for all components — Controller, Hub, and EDA. SSO is configured once at the Gateway level and applies everywhere.

See also: Ansible Automation Platform Upgrade Guide: Migration Path from AAP 2.4 and 2.5 to 2.6

Authentication Methods

| Method | Protocol | Use Cases | |--------|----------|-----------| | Local | Username/password | Break-glass admin, service accounts | | LDAP | LDAP/LDAPS | Active Directory, OpenLDAP, FreeIPA | | SAML 2.0 | HTTP Redirect/POST | Okta, Azure AD, PingFederate, ADFS | | OIDC | OAuth 2.0 / OpenID Connect | Keycloak, Azure AD, Okta, Google | | RADIUS | RADIUS | Legacy network auth infrastructure |

LDAP / Active Directory

Basic LDAP Configuration

Navigate to Settings → Authentication → LDAP or configure via API:

- name: Configure LDAP authentication
  ansible.builtin.uri:
    url: "https://gateway.example.org/api/gateway/v1/settings/"
    method: PATCH
    headers:
      Authorization: "Bearer {{ token }}"
    body_format: json
    body:
      AUTH_LDAP_SERVER_URI: "ldaps://dc01.example.com:636 ldaps://dc02.example.com:636"
      AUTH_LDAP_BIND_DN: "CN=ansible_svc,OU=Service Accounts,DC=example,DC=com"
      AUTH_LDAP_BIND_PASSWORD: "{{ vault_ldap_password }}"
      AUTH_LDAP_USER_SEARCH:
        - "OU=Users,DC=example,DC=com"
        - "SCOPE_SUBTREE"
        - "(sAMAccountName=%(user)s)"
      AUTH_LDAP_GROUP_SEARCH:
        - "OU=Groups,DC=example,DC=com"
        - "SCOPE_SUBTREE"
        - "(objectClass=group)"
      AUTH_LDAP_GROUP_TYPE: "MemberDNGroupType"
      AUTH_LDAP_USER_ATTR_MAP:
        first_name: "givenName"
        last_name: "sn"
        email: "mail"
      AUTH_LDAP_START_TLS: false

AD Group to AAP Team Mapping

AUTH_LDAP_TEAM_MAP:
  # AD group → AAP team mapping
  "Network Team":
    organization: "Operations"
    users: "CN=Network-Admins,OU=Groups,DC=example,DC=com"
    remove: true
  "Linux Team":
    organization: "Operations"
    users: "CN=Linux-Admins,OU=Groups,DC=example,DC=com"
    remove: true
  "Security Team":
    organization: "Security"
    users: "CN=Security-Ops,OU=Groups,DC=example,DC=com"
    remove: true

AUTH_LDAP_ORGANIZATION_MAP:
  "Operations":
    admins: "CN=AAP-Org-Admins,OU=Groups,DC=example,DC=com"
    users: true  # All LDAP users can access this org
    remove_admins: true
    remove_users: false
  "Security":
    admins: "CN=Security-Leads,OU=Groups,DC=example,DC=com"
    users: "CN=Security-Ops,OU=Groups,DC=example,DC=com"
    remove_users: true

LDAP with TLS Certificates

AUTH_LDAP_CONNECTION_OPTIONS:
  OPT_X_TLS_CACERTFILE: "/etc/pki/tls/certs/ad-ca.crt"
  OPT_X_TLS_REQUIRE_CERT: "OPT_X_TLS_DEMAND"  # Verify server cert
  OPT_REFERRALS: 0  # Required for Active Directory
  OPT_NETWORK_TIMEOUT: 30

Multiple LDAP Sources

AAP 2.6 supports up to 6 LDAP backends (LDAP, LDAP1-LDAP5):

# Primary: Active Directory
AUTH_LDAP_SERVER_URI: "ldaps://dc01.example.com:636"
AUTH_LDAP_BIND_DN: "CN=ansible_svc,DC=example,DC=com"

# Secondary: FreeIPA for Linux team
AUTH_LDAP1_SERVER_URI: "ldaps://ipa01.example.com:636"
AUTH_LDAP1_BIND_DN: "uid=ansible,cn=users,cn=accounts,dc=example,dc=com"
AUTH_LDAP1_USER_SEARCH:
  - "cn=users,cn=accounts,dc=example,dc=com"
  - "SCOPE_SUBTREE"
  - "(uid=%(user)s)"

See also: Ansible AAP as OIDC Authentication Provider for HashiCorp Vault: Zero Trust Workflow

SAML 2.0

SAML with Okta

Create a SAML app in Okta: • Single sign-on URL: https://gateway.example.org/sso/complete/saml/ • Audience URI (SP Entity ID): https://gateway.example.org/sso/metadata/saml/ • Attribute Statements: email, firstName, lastName, groups Configure AAP: 
SOCIAL_AUTH_SAML_SP_ENTITY_ID: "https://gateway.example.org/sso/metadata/saml/"
SOCIAL_AUTH_SAML_SP_PUBLIC_CERT: "{{ sp_certificate }}"
SOCIAL_AUTH_SAML_SP_PRIVATE_KEY: "{{ sp_private_key }}"

SOCIAL_AUTH_SAML_ORG_INFO:
  en-US:
    name: "Example Corp"
    displayname: "Example Corporation"
    url: "https://example.com"


SOCIAL_AUTH_SAML_TECHNICAL_CONTACT:
  givenName: "Automation Team"
  emailAddress: "automation@example.com"


SOCIAL_AUTH_SAML_SUPPORT_CONTACT:
  givenName: "IT Support"
  emailAddress: "support@example.com"


SOCIAL_AUTH_SAML_ENABLED_IDPS:
  Okta:
    entity_id: "http://www.okta.com/exk1234567890"
    url: "https://example.okta.com/app/exk1234567890/sso/saml"
    x509cert: "{{ okta_idp_certificate }}"
    attr_user_permanent_id: "name_id"
    attr_first_name: "firstName"
    attr_last_name: "lastName"
    attr_email: "email"
    attr_groups: "groups"


SOCIAL_AUTH_SAML_TEAM_MAP:
  "Network Team":
    organization: "Operations"
    users: ["network-admins"]
    remove: true
  "Cloud Team":
    organization: "Cloud"
    users: ["cloud-engineers"]
    remove: true

SAML with Azure AD

SOCIAL_AUTH_SAML_ENABLED_IDPS:
  AzureAD:
    entity_id: "https://sts.windows.net/{{ azure_tenant_id }}/"
    url: "https://login.microsoftonline.com/{{ azure_tenant_id }}/saml2"
    x509cert: "{{ azure_signing_cert }}"
    attr_user_permanent_id: "name_id"
    attr_first_name: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
    attr_last_name: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
    attr_email: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
    attr_groups: "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"

OpenID Connect (OIDC)

OIDC with Keycloak / RHSSO

SOCIAL_AUTH_OIDC_KEY: "aap-gateway"
SOCIAL_AUTH_OIDC_SECRET: "{{ vault_oidc_secret }}"
SOCIAL_AUTH_OIDC_OIDC_ENDPOINT: "https://keycloak.example.com/realms/automation"

# User attribute mapping
SOCIAL_AUTH_OIDC_USERNAME_KEY: "preferred_username"
SOCIAL_AUTH_OIDC_GROUPS_KEY: "groups"


# Team/org mapping (same format as LDAP/SAML)
SOCIAL_AUTH_OIDC_TEAM_MAP:
  "Developers":
    organization: "Development"
    users: ["developers"]
    remove: true


SOCIAL_AUTH_OIDC_ORGANIZATION_MAP:
  "Development":
    admins: ["dev-leads"]
    users: ["developers"]
    remove_users: true

OIDC with Azure AD

SOCIAL_AUTH_AZUREAD_OAUTH2_KEY: "{{ azure_app_client_id }}"
SOCIAL_AUTH_AZUREAD_OAUTH2_SECRET: "{{ vault_azure_secret }}"
SOCIAL_AUTH_AZUREAD_OAUTH2_ORGANIZATION_MAP:
  "Operations":
    admins:
      - "AAP-Admins"
    users: true

See also: AAP 2.6 Windows Automation: WinRM, PowerShell, and Active Directory Management

Session and Security Settings

# Session timeout
SESSION_COOKIE_AGE: 1800  # 30 minutes
SESSIONS_PER_USER: 3      # Max concurrent sessions

# Authentication policies
SOCIAL_AUTH_ORGANIZATION_MAP:
  Default:
    users: true           # Allow any authenticated user
    admins: []            # No auto-admin


# Disable local auth for SSO-only
DISABLE_LOCAL_AUTH: false  # Keep false for break-glass access


# Require specific LDAP group for login
AUTH_LDAP_REQUIRE_GROUP: "CN=AAP-Users,OU=Groups,DC=example,DC=com"
AUTH_LDAP_DENY_GROUP: "CN=AAP-Blocked,OU=Groups,DC=example,DC=com"

Testing SSO Configuration

LDAP Test

# Test LDAP connectivity
ldapsearch -x -H ldaps://dc01.example.com:636 \
  -D "CN=ansible_svc,OU=Service Accounts,DC=example,DC=com" \
  -W -b "DC=example,DC=com" "(sAMAccountName=testuser)"

# Test from AAP
curl -s -k -X POST "https://gateway.example.org/api/gateway/v1/auth/test_ldap/" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"username": "testuser", "password": "testpass"}'

SAML Metadata

# Download SP metadata for IdP configuration
curl -s -k "https://gateway.example.org/sso/metadata/saml/"

FAQ

Can I use multiple SSO methods simultaneously?

Yes. AAP 2.6 supports concurrent LDAP (up to 6 backends), SAML, OIDC, and local authentication. Users see a login page with all configured options. The first matching backend authenticates the user.

How do I enforce MFA?

MFA is enforced at the IdP level (Okta, Azure AD, Keycloak), not within AAP. Configure your IdP to require MFA for the AAP application, and AAP inherits that protection via SAML/OIDC flows.

What happens when a user is removed from the IdP?

With remove: true in team/org maps, users are removed from AAP teams when their group membership changes at the next login. To immediately revoke access, disable the user in AAP's admin interface or set AUTH_LDAP_DENY_GROUP.

How do I handle service accounts that can't use SSO?

Create local machine credentials for API integrations and CI/CD pipelines. Use personal access tokens (PATs) for service accounts. Keep DISABLE_LOCAL_AUTH: false but restrict local login to specific accounts.

Can I map nested AD groups?

Yes. Set AUTH_LDAP_GROUP_TYPE to NestedMemberDNGroupType for recursive group resolution. Note: this increases LDAP query load.

Conclusion

SSO in AAP 2.6 is configured at the Platform Gateway, providing unified authentication across all components. Whether using LDAP for Active Directory integration, SAML for enterprise IdPs like Okta, or OIDC for Keycloak — AAP supports the full range of enterprise authentication requirements with automatic group-to-team mapping and organization provisioning.

Related Articles

AAP 2.6 Multi-Tenancy: Organizations, Teams, and RBAC at ScaleAAP 2.6 RBAC and Gateway APIAAP 2.6 Security Best PracticesAAP 2.6 Architecture and Components: Complete GuideAAP 2.6 REST API Guide: Automate the Automation Platform

Category: windows-automation

Browse all Ansible tutorials · AnsiblePilot Home