AWX: prevent access from outside organizations

milgner

11/29/23, 10:16 AM

After setting up login via Azure AD in AWX, we find that people from other organizations are able to log in, too.

After creating an organization map according to https://docs.ansible.com/ansible-tower/latest/html/administration/social_auth.html#organization-and-team-mapping they don't get assigned to any organization or team anymore, but they're still able to see the list of users.

How can I completely deny login via Azure AD to users outside our organization?

Update: we found that we can set SOCIAL_AUTH_USER_FIELDS to [] to completely prevent login from unknown users but ideally it should still be possible to log in from our domain. Trying to set it up with various variants of regexes, e-mail addresses and domain names but did not find a way to use this mechanism to achieve what we want.

Update 2: we have also tried updating the "Collaboration restrictions" in Azure AD to only list our domains but it didn't make any difference to AWX.

119

0 + 0

azure-active-directory

ansible-tower

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: AWX: prevent access from outside organizations

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.