Ansible Module - oci_identity_provider - Parameter 'metadata_url'

Question

Ansible Module - oci_identity_provider - Parameter 'metadata_url'

vijaykri-in opened this issue 5 years ago · 7 comments

Issue Report

Describe the issue
Currently we are trying to automate our internal federation using 'oci_identity_provider' module, but this module requires 'metadata_url', where as in Console it asks only the following details

Oracle Identity Cloud Service Base URL
Client ID
Client Secret

How do we automate with these details using above ansible module?? and why are we asking metadata_url parameter in ansible module? is it possible to automate federation with above given details.

Expected behavior
how to use this module to automate federation with above listed details

Environment

OS version: OL7.8
Ansible version:

ansible 2.9.6
config file = None
configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
ansible python module location = /root/.local/lib/python2.7/site-packages/ansible
executable location = /root/bin/ansible
python version = 2.7.5 (default, Nov 27 2019, 09:57:45) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39.0.1)]
OCI Python SDK version:

2.12.3
OCI Ansible Modules version:

1.6.0-dev

Ansible playbook to reproduce the issue

N/A

Answer 1 · 2020-04-08T17:07:29.000Z

In the documentation, metadata URL is required:
https://docs.cloud.oracle.com/en-us/iaas/Content/Identity/Tasks/federatingIDCS.htm

Here is an example:

name: Create an identity provider
oci_identity_provider:
compartment_id: 'ocid1.tenancy.oc1..xxxxxEXAMPLExxxxx'
description: test identity provider
freeform_attributes:
clientId: app_sf3kdjf3
metadata_url: https://myidpserver/FederationMetadata/2007-06/FederationMetadata.xml
name: mytestidentityprovider
product_type: IDCS
protocol: SAML2

This is the API behind the Ansible playbook:
https://docs.cloud.oracle.com/en-us/iaas/api/#/en/identity/20160918/datatypes/CreateIdentityProviderDetails
SAML2 (See CreateSaml2IdentityProviderDetails)
https://docs.cloud.oracle.com/en-us/iaas/api/#/en/identity/20160918/datatypes/CreateSaml2IdentityProviderDetails

Answer 2 · 2020-04-16T11:53:02.000Z

Hi,

Thanks for the update. Why metadata_url is required only for automation ? The same is not required in web console. Currently we do not have metadata_url details.. in that case how can we go with automation ?

Answer 3 · 2020-04-16T16:45:23.000Z

The Oracle Identity Cloud Service Base URL has the metadata if you add this path: /fed/v1/metadata

Here is the documentation:
The easiest way to federate with Oracle Identity Cloud Service is through the Oracle Cloud Infrastructure Console, although you could do it programmatically with the API. If you're using the Console, you're asked to provide a base URL instead of the metadata URL. The base URL is the left-most part of the URL in the browser window when you're signed in to the Identity Cloud Service console:

Base URL: <Identity Cloud Service account name>.identity.oraclecloud.com

If you're using the API to federate, you need to provide the metadata URL, which is the base URL with /fed/v1/metadata appended, like so:

Metadata URL: <Identity Cloud Service account name>.identity.oraclecloud.com/fed/v1/metadata

The metadata URL links directly to the IdP-provided XML required to federate. If you're using the API, you need to provide both the metadata URL and the metadata itself when federating. For more information, see Managing Identity Providers in the API.

Answer 4 · 2020-04-16T16:50:26.000Z

SInce metadata content is also required, you can get it from the metadata url and pass it to the module:

name: Get content
uri:
url: .identity.oraclecloud.com/fed/v1/metadata
return_content: yes
register: metadata_result
name: create an identity provider
oci_identity_provider:
compartment_id: "{{ tenancy_ocid }}"
description: "{{ test_identity_provider_description }}"
freeform_attributes: "{{ test_identity_provider_freeform_attributes }}"
freeform_tags: "{{ test_identity_provider_freeform_tags }}"
metadata: "{{ metadata_result.content }}"
name: "{{ test_identity_provider_name }}"
product_type: "{{ test_identity_provider_product_type }}"
protocol: "{{ test_identity_provider_protocol }}"
register: create_identity_provider_result

Answer 5 · 2020-05-06T10:17:14.000Z

@nalsaber Thank you for the inputs, we have tried above given method, we are getting below error:

TASK [oci_idcs_federation : Get content] *******************************************************************************************************************************************************************
Wednesday 06 May 2020 10:15:59 +0000 (0:00:00.079) 0:00:10.912 *********
ok: [AUCALVA01-IAM -> localhost]

TASK [oci_idcs_federation : Create an identity providerCreate an identity provider] ************************************************************************************************************************
Wednesday 06 May 2020 10:16:07 +0000 (0:00:07.565) 0:00:18.478 *********
fatal: [AUCALVA01-IAM -> localhost]: FAILED! => {"changed": false, "msg": "{'status': 400, 'message': u'Invalid xml string. Content is not allowed in prolog.', 'code': u'InvalidSAMLMetadata', 'opc-request-id': '4B37DED0D7C44781919BF25A6DBA0B1E/51567F1AA268E4CB48EFA6BB90D061A2/6E20E527E3B505A048E8D5CDFFE09696'}"}

Answer 6 · 2020-05-06T18:10:54.000Z

Can you check the content of the URL xxx.identity.oraclecloud.com/fed/v1/metadata ?
It looks like it is not XML (Error: Invalid xml string.)

Answer 7 · 2021-05-01T04:49:24.000Z

The legacy OCI Ansible modules have been deprecated in favor of the new OCI Ansible collection. These are no longer supported and there will be no further updates or fixes. Please migrate to the OCI Ansible collection for improved features and continued support. Refer to the Migration Guide for best practices.