Chapter 4. Adding an identity broker to Ansible Automation Platform Central Authentication

Ansible Automation Platform Central Authentication supports both social and protocol-based providers. You can add an identity broker to central authentication to enable social authentication for your realm, allowing users to log in using an existing social network account, such as Google, Facebook, GitHub etc.


For a list of supported social networks and for more information to enable them, please see this section.

Protocol-based providers are those that rely on a specific protocol in order to authenticate and authorize users. They allow you to connect to any identity provider compliant with a specific protocol. Ansible Automation Platform Central Authentication provides support for SAML v2.0 and OpenID Connect v1.0 protocols.


  1. Log in to Ansible Automation Platform Central Authenticationas an admin user.
  2. Under the Configure section on the side navigation bar, click Identity Providers.
  3. Using the dropdown menu labeled Add provider, select your identity provider to proceed to the identity provider configuration page.

The following table lists the available options for your identity provider configuration:

Table 4.1. Identity Broker Configuration Options

Configuration Option



The alias is a unique identifier for an identity provider. It is used to reference an identity provider internally. Some protocols such as OpenID Connect require a redirect URI or callback url in order to communicate with an identity provider. In this case, the alias is used to build the redirect URL.


Turns the provider on/off.

Hide on Login Page

If enabled, this provider will not be shown as a login option on the login page. Clients can still request to use this provider by using the kc_idp_hint parameter in the URL they use to request a login.

Account Linking Only

If enabled, this provider cannot be used to login users and will not be shown as an option on the login page. Existing accounts can still be linked with this provider.

Store Tokens

Whether or not to store the token received from the identity provider.

Stored Tokens Readable

Whether or not users are allowed to retrieve the stored identity provider token. This also applies to the broker client-level role read token.

Trust Email

Whether an email address provided by the identity provider will be trusted. If the realm requires email validation, users that log in from this IDP will not have to go through the email verification process.

GUI Order

The order number that sorts how the available IDPs are listed on the login page.

First Login Flow

Select an authentication flow that will be triggered for users that log in to central authentication through this IDP for the first time.

Post Login Flow

Select an authentication flow that is triggered after the user finishes logging in with the external identity provider.

4.1. Managing group permissions with Ansible Automation Platform Central Authentication

You can manage user access on the Ansible Automation Platform by assigning specific permissions to user groups. As users log in to the Ansible Automation Platform for the first time, their groups will appear in the user access page in automation hub, allowing you to assign user access and permissions to each group.

4.1.1. Assigning permissions to Groups

You can assign permissions to groups in automation hubthat enable users to access specific features in the system.


You are signed in as a hubadmin user.


  1. Log in to your local automation hub.
  2. Navigate to Groups.
  3. Click on a group name.
  4. Click Edit.
  5. Click in the field for the permission type and select permissions that appear in the list.
  6. Click Save when finished assigning permissions.

The group can now access features in automation hub associated with their assigned permissions.

4.1.2. Automation Hub permissions

Permissions provide a defined set of actions each group performs on a given object. Determine the required level of access for your groups based on the following permissions:

Table 4.2. Permissions Reference Table



Add namespace

Upload to namespace

Change namespace

Delete namespace

Groups with these permissions can create, upload collections, or delete a namespace.


Modify Ansible repo content

Delete collections

Groups with this permission can move content between repositories using the Approval feature, certify or reject features to move content from the staging to published or rejected repositories, abd delete collections.


View user

Delete user

Add user

Change user

Groups with these permissions can manage user configuration and access in automation hub.


View group

Delete group

Add group

Change group

Groups with these permissions can manage group configuration and access in automation hub.

collection remotes

Change collection remote

View collection remote

Groups with these permissions can configure remote repository by navigating to CollectionsRepo Management.


Change container namespace permissions

Change containers

Change image tags

Create new containers

Push to existing containers

Delete container repository

Groups with these permissions can manage container repositories in automation hub.

remote registries

Add remote registry

Change remote registry

Delete remote registry

Groups with these permissions can add, change, or delete remote registries added to automation hub.

task management

Change task

Delete task

View all tasks

Groups with these permissions can manage tasks added to Task Management in automation hub.