Integrations · OIDC

AWX / Ansible Tower SSO

Configure OpenID Connect SSO for AWX (open-source Ansible automation) and Red Hat Ansible Automation Platform (AAP). Team memberships and roles are automatically assigned from Clavex group claims.

AWX vs AAP: AWX uses the Social-Auth OIDC backend. Red Hat AAP uses the same underlying Django Social Auth but ships with a slightly different admin UI. The configuration values are identical.

Prerequisites

AWX ≥ 21 or Ansible Automation Platform ≥ 2.0
AWX System Admin access
Clavex at https://id.acme.eu, org slug acme

Step 1 — Register OIDC Client in Clavex

Admin API (curl)

$ curl -X POST https://id.acme.eu/api/v1/organizations/acme/clients \ -H 'Authorization: Bearer $ADMIN_TOKEN' \ -H 'Content-Type: application/json' \ -d '{ "client_id": "awx", "client_name": "AWX", "grant_types": ["authorization_code"], "redirect_uris": ["https://awx.acme.eu/sso/complete/oidc/"], "scopes": ["openid", "profile", "email"], "token_endpoint_auth_method": "client_secret_post" }'

Step 2 — Configure OIDC in AWX Settings

Via AWX Web UI

Settings → Authentication → Generic OIDC

Fill in:

Setting	Value
OIDC Key (Client ID)	`awx`
OIDC Secret	`cs_xxxxxxxxxxxxxxxx`
OIDC Provider URL	`https://id.acme.eu/acme`
OIDC Public Key	leave empty — AWX fetches from discovery

Save

Via AWX REST API / awxkit

bash

$ curl -u admin:$AWX_ADMIN_PW -X PATCH \ https://awx.acme.eu/api/v2/settings/oidc/ \ -H 'Content-Type: application/json' \ -d '{ "SOCIAL_AUTH_OIDC_OIDC_ENDPOINT": "https://id.acme.eu/acme", "SOCIAL_AUTH_OIDC_KEY": "awx", "SOCIAL_AUTH_OIDC_SECRET": "cs_xxxxxxxxxxxxxxxx" }'

Step 3 — Organization and Team Mapping

AWX can automatically assign users to organizations and teams based on the groups claim. Configure in Settings → Authentication → Generic OIDC → OIDC Organization Map:

JSON — OIDC Organization Map

{ "Acme Corp": { "admins": ["awx-admins"], "users": true, "remove_admins": false, "remove_users": false } }

JSON — OIDC Team Map

{ "Infra Team": { "organization": "Acme Corp", "users": ["awx-infra"], "remove": false }, "Dev Team": { "organization": "Acme Corp", "users": ["awx-dev"], "remove": false } }

Groups claim: AWX reads groups from the groups claim in the UserInfo response. Ensure the groups scope is added to the Clavex client and that users are assigned to groups in the Clavex Admin Console.

Step 4 — Test

Navigate to https://awx.acme.eu
Click Sign in with OIDC
Authenticate via Clavex — you are redirected back to AWX with the correct organization and team

Troubleshooting

Symptom	Cause	Fix
OIDC login button not shown	OIDC endpoint not configured or unreachable	Check `SOCIAL_AUTH_OIDC_OIDC_ENDPOINT`; AWX must be able to reach the discovery URL
`state` mismatch error	CSRF or session issue	Ensure AWX `SESSION_COOKIE_SECURE` matches the HTTPS setup; clear browser cookies
Users logged in but no org assigned	Org map not configured or groups claim missing	Check OIDC Organization Map JSON; verify groups scope in Clavex client
Superuser not created for first admin	No superuser flag in OIDC map	Add `"is_superuser": ["awx-admins"]` to the OIDC Organization Map