AnsiblePilot — Master Ansible Automation

AnsiblePilot is the leading resource for learning Ansible automation, DevOps, and infrastructure as code. Browse over 1,100 tutorials covering Ansible modules, playbooks, roles, collections, and real-world examples. Whether you are a beginner or an experienced engineer, our step-by-step guides help you automate Linux, Windows, cloud, containers, and network infrastructure.

Popular Topics

About Luca Berton

Luca Berton is an Ansible automation expert, author of "Ansible for VMware by Examples" and "Ansible for Kubernetes by Example" published by Apress, and creator of the Ansible Pilot YouTube channel. He shares practical automation knowledge through tutorials, books, and video courses to help IT professionals and DevOps engineers master infrastructure automation.

AAP 2.6 SSO Integration: LDAP, SAML, and OIDC Authentication

By Luca Berton · Published 2024-01-01 · Category: windows-automation

Configure Single Sign-On for AAP 2.6 with LDAP, SAML 2.0, and OpenID Connect. Integrate Active Directory, Okta, Azure AD, Keycloak, and RHSSO. Map groups to teams, automate user provisioning, and enforce MFA.

SSO in AAP 2.6

AAP 2.6 introduces the Platform Gateway as the unified authentication entry point for all components — Controller, Hub, and EDA. SSO is configured once at the Gateway level and applies everywhere.

Authentication Methods

| Method | Protocol | Use Cases | |--------|----------|-----------| | Local | Username/password | Break-glass admin, service accounts | | LDAP | LDAP/LDAPS | Active Directory, OpenLDAP, FreeIPA | | SAML 2.0 | HTTP Redirect/POST | Okta, Azure AD, PingFederate, ADFS | | OIDC | OAuth 2.0 / OpenID Connect | Keycloak, Azure AD, Okta, Google | | RADIUS | RADIUS | Legacy network auth infrastructure |

LDAP / Active Directory

Basic LDAP Configuration

Navigate to Settings → Authentication → LDAP or configure via API:

AD Group to AAP Team Mapping

LDAP with TLS Certificates

Multiple LDAP Sources

AAP 2.6 supports up to 6 LDAP backends (LDAP, LDAP1-LDAP5):

SAML 2.0

SAML with Okta Create a SAML app in Okta: • Single sign-on URL: https://gateway.example.org/sso/complete/saml/ • Audience URI (SP Entity ID): https://gateway.example.org/sso/metadata/saml/ • Attribute Statements: email, firstName, lastName, groups Configure AAP:

SAML with Azure AD

OpenID Connect (OIDC)

OIDC with Keycloak / RHSSO

OIDC with Azure AD

Session and Security Settings

Testing SSO Configuration

LDAP Test

SAML Metadata

FAQ

Can I use multiple SSO methods simultaneously?

Yes. AAP 2.6 supports concurrent LDAP (up to 6 backends), SAML, OIDC, and local authentication. Users see a login page with all configured options. The first matching backend authenticates the user.

How do I enforce MFA?

MFA is enforced at the IdP level (Okta, Azure AD, Keycloak), not within AAP. Configure your IdP to require MFA for the AAP application, and AAP inherits that protection via SAML/OIDC flows.

What happens when a user is removed from the IdP?

With remove: true in team/org maps, users are removed from AAP teams when their group membership changes at the next login. To immediately revoke access, disable the user in AAP's admin interface or set AUTH_LDAP_DENY_GROUP.

How do I handle service accounts that can't use SSO?

Create local machine credentials for API integrations and CI/CD pipelines. Use personal access tokens (PATs) for service accounts. Keep DISABLE_LOCAL_AUTH: false but restrict local login to specific accounts.

Can I map nested AD groups?

Yes. Set AUTH_LDAP_GROUP_TYPE to NestedMemberDNGroupType for recursive group resolution. Note: this increases LDAP query load.

Conclusion

SSO in AAP 2.6 is configured at the Platform Gateway, providing unified authentication across all components. Whether using LDAP for Active Directory integration, SAML for enterprise IdPs like Okta, or OIDC for Keycloak — AAP supports the full range of enterprise authentication requirements with automatic group-to-team mapping and organization provisioning.

Related ArticlesAAP 2.6 Multi-Tenancy: Organizations, Teams, and RBAC at ScaleAAP 2.6 RBAC and Gateway APIAAP 2.6 Security Best PracticesAAP 2.6 Architecture and Components: Complete GuideAAP 2.6 REST API Guide: Automate the Automation Platform

Category: windows-automation

Browse all Ansible tutorials · AnsiblePilot Home