SAML authentication in Ansible Automation Platform gateway fails with "KeyError"

Solution Verified - Updated -

Environment

  • Red Hat Ansible Automation Platform 2.5

Issue

  • SAML authentication in Ansible Automation Platform gateway fails with KeyError

Resolution

  • SAML connection mappings settings can be used to map a different unique attribute the Identity Provider (IdP) is sending for the user as their user or name id. Based on the error add the following attribute in the SAML settings in Ansible Automation Platform Gateway, save and attempt to login.

    // In the web interface:
User Permanent ID: "name_id"

// Or in the API settings:
"IDP_ATTR_USER_PERMANENT_ID": "name_id"

Diagnostic Steps

  • Here is the complete error traceback can be seen while attempting to set up the SSO as SAML:

    2025-01-07 21:00:55,239 ERROR    d5e2928b-f5c8-4851-a625-a7ad9babede7 django.request Internal Server Error: /api/gateway/social/complete/ansible_base-authentication-authenticator_plugins-saml__entra-id-saml/
Traceback (most recent call last):
File "/usr/lib/python3.11/site-packages/django/core/handlers/exception.py", line 55, in inner
response = get_response(request)
           ^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/site-packages/django/core/handlers/base.py", line 197, in _get_response
response = wrapped_callback(request, *callback_args, **callback_kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/site-packages/django/views/decorators/csrf.py", line 56, in wrapper_view
return view_func(*args, **kwargs)
       ^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/site-packages/social_core/backends/saml.py", line 350, in auth_complete
return self.strategy.authenticate(*args, **kwargs)
       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/site-packages/social_django/strategy.py", line 104, in authenticate
return authenticate(*args, **kwargs)
       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/site-packages/django/contrib/auth/__init__.py", line 77, in authenticate
user = backend.authenticate(request, **credentials)
       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/site-packages/social_core/pipeline/social_auth.py", line 9, in social_uid
return {"uid": str(backend.get_user_id(details, response))}
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/site-packages/social_core/backends/saml.py", line 50, in get_user_permanent_id
uid = attributes[self.conf.get("attr_user_permanent_id", OID_USERID)]
      ~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
KeyError: 'urn:oid:0.9.2342.19200300.100.1.1'
2025-01-07 21:00:55,239 ERROR    d5e2928b-e4b9-4851-a625-a7ad9babede7 django.request Internal Server Error: /api/gateway/social/complete/ansible_base-authentication-authenticator_plugins-saml__entra-id-saml/
Traceback (most recent call last):
File "/usr/lib/python3.11/site-packages/django/core/handlers/exception.py", line 55, in inner
response = get_response(request)
           ^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/site-packages/django/core/handlers/base.py", line 197, in _get_response
response = wrapped_callback(request, *callback_args, **callback_kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/site-packages/django/views/decorators/cache.py", line 62, in _wrapper_view_func
response = view_func(request, *args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/site-packages/social_core/actions.py", line 49, in do_complete
user = backend.complete(user=user, redirect_name=redirect_name, *args, **kwargs)
       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/site-packages/social_core/backends/base.py", line 39, in complete
  return self.auth_complete(*args, **kwargs)
       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/site-packages/social_core/backends/saml.py", line 350, in auth_complete
return self.strategy.authenticate(*args, **kwargs)
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/site-packages/django/contrib/auth/__init__.py", line 77, in authenticate
user = backend.authenticate(request, **credentials)
       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/site-packages/ansible_base/authentication/backend.py", line 40, in authenticate
user = authenticator_object.authenticate(request, *args, **kwargs)
       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/site-packages/social_core/backends/saml.py", line 304, in get_user_id
uid = idp.get_user_permanent_id(response["attributes"])
      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/site-packages/social_core/backends/saml.py", line 50, in get_user_permanent_id
uid = attributes[self.conf.get("attr_user_permanent_id", OID_USERID)]
      ~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
KeyError: 'urn:oid:0.9.2342.19200300.100.1.1'

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments