Category: IAM

Using Keycloak as the Identity Provider for AWX

Good day, in this post I will show you how to use Keycloak (Open source Redhat SSO) as the identity provider for AWX.

I am basing this tutorial on the post on red hat SSO integration on and from the AWX docs on SAML authentication


You need the following set up:

  • AWX instance
  • Keycloak Instance
  • A realm with users or linked to another user source (identity brokering or user federation with LDAP)

Creating a Key Pair

Using OpenSSL or LibreSSL create a public-private key pair:

openssl req -new -x509 -days 365 -nodes -out saml.crt -keyout saml.key

On your keycloak realm -> keys -> providers -> Add (RSA)

Then upload your private key and cert you created.


  1. Log into AWX as an admin user
  2. Go to Settings -> Authentication
  3. At the top select the SAML button

    On this page the SAML Assertion Consumer Service (ACS) URL and SAML Service Provider Metadata URL are provided for you to enter on keycloak side

At this stage we can create the client for our realm

  1. Log into keycloak as realm admin
  2. Go to Clients -> Create client

    Set Client Protocol to SAML

    Go to /api/v2/settings/system on AWX to find your TOWER_URL_BASE. Add that as the Entity ID on Keycloak side.


    Then add the SAML Assertion Consumer Service (ACS) URL from AWX as the CLient SAML Endpoint on Keycloak.


Now we are done with the client creation we need to set the settings on keycloak side. Fill in the entity ID , SAML Service Provider Public Certificate and SAML Service Provider Private Key you created previously.

Now fill in any additional information:

Under SAML Service Provider Organization Info (This is just information about the identity provider):

  "en-US": {
    "url": "",
    "displayname": "Keycloak",
    "name": "keycloak"

Under SAML Service Provider Technical Contact:

    "givenName": "Some User",
    "emailAddress": ""

Under SAML Service Provider Support Contact:

    "givenName": "Some User",
    "emailAddress": ""

Under SAML Enabled Identity Providers (Info on how to connect to the provider):

   "RHSSO": {
      "attr_last_name": "last_name",
      "attr_username": "username",
      "entity_id": "",
      "attr_user_permanent_id": "name_id",
      "url": "",
      "attr_email": "email",
      "x509cert": "",
      "attr_first_name": "first_name",
      "attr_groups": "groups"

Under SAML Organization Map:

   "Default": {
      "users": true
   "Systems Engineering": {
      "admins": [
      "remove_admins": false,
      "remove_users": false,
      "users": true

Add the Mappers on Keycloak


Keycloak Error: “We’re sorry, failed to process response”

Check your Keycloak log. If the log displays

failed: org.keycloak.common.VerificationException: Client does not have a public key

set Encrypt Assertions to OFF in your Keycloak client.

Logs in to Keycloak and Redirects - but does not Login to AWX

In the AWX logs you will find this line:

social Found an Attribute element with duplicated Name

You have to Your Realm -> Client Scopes (left side) -> role_list -> Mappers -> role list -> Set Single Role Attribute to On

Boom - it works!


Practical Application: Implementing SSH security with TLS certificates

In any organisation of a large size managing access to servers and cloud resources is difficult.
There is often a tradeoff between convenience and security.
Changing these settings is also a bit scary in production as you can be locked out of your servers...

One solution mentioned by facebook engineering and smallstep is to make use of certificates to authenticate and authorise SSH users.

In this post we will look at what we need to achieve better SSH security and how to implement it...

What we need to know

The topics we should read up on are:

  • TLS certificates and public key cryptography
  • OpenSSL
  • Public Key Infrastructure (PKI)
  • SSH
  • Hashicorp Vault

Some books might be:

That is alot of reading.


Integrating Keycloak and Harbor Registry with OpenID Connect

The documentation for setting up an OpenIDC identity provider / authentication method for Harbor Registry can be found in the harbor docs.

Harbor has supported OIDC since version 1.8.


You can change the authentication mode from database to OIDC only if no local users have been added to the database. If there is at least one user other than admin in the Harbor database, you cannot change the authentication mode.

So if you have existing local users, you will need to remove them - unfortunately doing this from the admin frontend does not actually delete them. you have to enter the postgres db and delete associated projects and then the users.

Information for setting up the client on keycloak side can be found on the red hat docs page

Getting Started

Having said all that...

  1. As Admin, go to Administration -> Configuration -> Authentication

  2. Select Auth mode as OIDC

  3. Fill in the required information as per the below screenshot:

  4. Click Test Configuration

OIDC Endpoint

For keycloak you can get your realm's OIDC details by going to:


But for the OIDC configuration you remove everthing up to /.well-known... including the back slash.
So the OIDC endpoint should be:


Deleting Existing Harbor Users

If you are using harbor on kubernetes - you can enter the postgres pod and execute in the shell:

docker exec -it harbor-db bash
psql -U postgres
\c registry
select * from harbor_user
delete from harbor_user where user_id > 2