Home / Secure Access / AWX / Ansible Automation Platform
IT Automation
REMOTE_USER / X-Forwarded-User
Zero-Day Shield

SSO + Zero-Day Protection for AWX / Ansible Automation Platform

by Red Hat (Ansible)

Add SAML/OIDC SSO to AWX — Shield Ansible Automation from Zero-Day Exploits

Start Free Trial See How It Works
Overview

Why AWX / Ansible Automation Platform Needs an Authenticated Proxy

AWX is the open-source upstream project for Red Hat Ansible Automation Platform, providing a web UI, REST API, and job engine for running Ansible playbooks. AWX manages machine credentials (SSH keys, passwords, cloud API tokens), playbook inventories, and job templates that execute with privileged access across your infrastructure. A compromised AWX instance gives attackers the ability to execute arbitrary Ansible playbooks on any managed host, extract stored credentials, and modify infrastructure configuration at scale. OnePAM adds enterprise SSO and zero-day protection by placing an authenticated reverse proxy in front of AWX. Users authenticate via your corporate IdP, and OnePAM ensures only verified users can access automation resources.

HTTP Header Authentication
REMOTE_USER / X-Forwarded-User

AWX supports external authentication via a trusted proxy that provides the authenticated username. OnePAM injects the verified identity header, and AWX creates the session based on the trusted user.

Zero-Day Risk Profile

AWX / Ansible Automation Platform Vulnerability Risks

Without an authenticated proxy, these risks are directly exploitable by any network-reachable attacker.

AWX/Tower has had critical RCE vulnerabilities via playbook injection
Machine credentials (SSH keys, cloud API tokens) are stored in AWX credential vault
Playbook execution provides root-level access to all managed infrastructure
Inventory data reveals complete infrastructure topology and access patterns
The Challenge

Security Challenges with AWX / Ansible Automation Platform

These are the risks organizations face when AWX / Ansible Automation Platform is not behind an authenticated proxy.

Infrastructure-Wide Access

AWX playbooks execute with privileged access across all managed hosts. Unauthorized execution enables infrastructure-wide compromise.

Credential Vault Exposure

AWX stores SSH keys, passwords, cloud API tokens, and vault passwords needed by playbooks. Compromise exposes all managed credentials.

Playbook Injection Risk

AWX has had vulnerabilities allowing malicious playbook injection, enabling arbitrary code execution on managed hosts.

Inventory Data Sensitivity

AWX inventories document every managed host, group, and variable — a complete map of your automation-managed infrastructure.

Limited OSS Auth

AWX (open source) has more limited authentication options compared to the commercial Ansible Automation Platform.

Job Template Manipulation

Unauthorized job template modification can change which playbooks run, with what credentials, on which hosts.

The OnePAM Solution

How OnePAM Adds SSO + Zero-Day Protection to AWX / Ansible Automation Platform

A step-by-step guide to deploying OnePAM's authenticated proxy in front of AWX / Ansible Automation Platform.

1

Deploy OnePAM as AWX's Gateway

Place OnePAM in front of the AWX web interface and API.

AWX's NGINX is configured to accept connections only from OnePAM. The AWX login page is never directly accessible.
2

Configure IdP Federation

Connect OnePAM to your corporate IdP — Okta, Azure AD, Google Workspace, or any SAML/OIDC provider.

OnePAM handles authentication, MFA enforcement, and group membership retrieval.
3

Enable Proxy Authentication

OnePAM injects the authenticated user identity via HTTP headers that AWX trusts.

AWX accepts the pre-authenticated identity and creates user sessions automatically. No AWX login page is shown.
4

Map Automation Access

IdP groups determine who can access which organizations, inventories, and job templates.

Platform engineers get admin access, operators execute pre-defined templates, and auditors get read-only views — from your IdP.
5

Audit Automation Operations

Every AWX operation is logged with corporate identity context.

Know who launched which playbook, on which hosts, with what credentials, and what the results were.
Business Impact

Benefits of Securing AWX / Ansible Automation Platform with OnePAM

Measurable security and operational outcomes from deploying OnePAM in front of AWX / Ansible Automation Platform.

Protect Automation Infrastructure

Only authenticated users can access AWX. Playbook injection and RCE CVEs are blocked at the proxy layer.

Zero unauthorized automation access

Shield Machine Credentials

SSH keys, cloud API tokens, and vault passwords are protected behind identity-verified access.

Credential theft prevented

Enterprise SSO for AWX

OnePAM provides SAML/OIDC SSO for AWX without requiring Ansible Automation Platform licensing.

Enterprise SSO at no extra cost

MFA for Automation

Require MFA before launching playbooks or accessing credential vaults.

MFA-gated automation

Identity-Tied Job Execution

Every playbook execution is linked to a verified corporate identity.

Identity-bound automation

Complete Automation Audit

Every job launch, credential access, and inventory change is logged with corporate identity.

Full automation audit trail
SSO Features

AWX / Ansible Automation Platform SSO Capabilities

Every feature needed to provide enterprise-grade SSO and access control for AWX / Ansible Automation Platform.

SAML 2.0 & OIDC SSO for AWX via proxy authentication
Organization and team access policies from IdP groups
Job template execution authorization
Credential vault access controls
Session recording for automation operations
IP and geo-restriction for AWX access
Device trust verification
REST API access policies and auditing
Inventory access controls
Multi-AWX instance SSO support
Security

Zero-Day Protection Features

Enterprise-grade security controls that shield AWX / Ansible Automation Platform from exploitation.

AWX isolated from direct network access
End-to-end TLS encryption
Request-level identity verification
Protection against AWX playbook injection CVEs
Credential vault access auditing
Automatic session termination on IdP sign-out
Real-World Scenarios

AWX / Ansible Automation Platform SSO + Security Use Cases

Common scenarios where organizations deploy OnePAM in front of AWX / Ansible Automation Platform.

1
Platform engineers managing Ansible automation via corporate SSO with MFA
2
Operators executing pre-defined job templates with restricted access
3
Security teams auditing automation operations with session recording
4
Restricting production playbook execution to senior engineers with step-up MFA
5
Protecting AWX from playbook injection and RCE exploitation
6
Compliance-driven automation access auditing for SOC 2 and PCI DSS
Frequently Asked Questions

AWX / Ansible Automation Platform SSO + Security FAQ

Common questions about deploying OnePAM's authenticated proxy for AWX / Ansible Automation Platform.

Does OnePAM work with AWX (open source) or only Ansible Automation Platform?

OnePAM works with both AWX (open source) and Red Hat Ansible Automation Platform. Proxy authentication is supported in both editions.

Can we restrict who can launch specific job templates?

Yes. OnePAM passes IdP group memberships that map to AWX organizations and teams. AWX's RBAC system controls which teams can access and execute specific job templates.

Does OnePAM protect the AWX REST API?

Yes. OnePAM enforces authentication on all AWX endpoints. Automated API calls can use tokens while interactive sessions require full SSO.

Can we require MFA for production playbook execution?

Yes. OnePAM supports path-based and context-aware policies. Production job launches can require step-up MFA while read-only access uses standard SSO.

Does OnePAM affect AWX callback and webhook endpoints?

OnePAM supports policy exceptions for specific endpoints. AWX callback URLs and webhook receivers can be configured with different authentication requirements.
Also Supported

SSO + Zero-Day Protection for Other Applications

OnePAM adds authenticated proxy protection to all these applications — same approach, zero code changes.

Jenkins
CI/CD Automation · X-Forwarded-User
Grafana
Observability & Monitoring · X-WEBAUTH-USER
Kibana
Log Analytics & SIEM · X-Proxy-User / es-security-runas-user
GitLab Self-Managed
DevOps Platform · X-Forwarded-User / REMOTE_USER
SonarQube
Code Security & Quality · X-Forwarded-Login
Apache Guacamole
Clientless Remote Desktop · N/A (native protocol)
Jira Data Center
Project Management · X-Forwarded-User
Confluence Data Center
Knowledge Management · X-Forwarded-User
pgAdmin
Database Management · X-Forwarded-User / REMOTE_USER
Rundeck
Operations Automation · X-Forwarded-User / REMOTE_USER
Harbor
Container Registry · X-Forwarded-User / X-Forwarded-Groups
Zabbix
Infrastructure Monitoring · X-Forwarded-User / PHP_AUTH_USER
Nexus Repository
Artifact Management · X-Forwarded-User / REMOTE_USER
Wiki.js
Modern Wiki Platform · X-Forwarded-User / Authorization
Prometheus
Metrics & Monitoring · X-Forwarded-User (proxy-level auth)
MinIO
Object Storage · X-Forwarded-User / Authorization
Portainer
Container Management · X-Forwarded-User
Apache Airflow
Workflow Orchestration · REMOTE_USER
Apache Superset
Business Intelligence · REMOTE_USER
Gitea
Git Hosting · X-WEBAUTH-USER
Mattermost
Team Messaging · X-Forwarded-User / X-Forwarded-Email
Redmine
Project Management · REMOTE_USER
NetBox
Network DCIM / IPAM · REMOTE_USER / HTTP_REMOTE_USER
phpMyAdmin
Database Administration · REMOTE_USER / PHP_AUTH_USER
Argo CD
GitOps & Continuous Delivery · X-Forwarded-User / Argocd-User-Info
n8n
Workflow Automation · X-Forwarded-User / X-n8n-User
HashiCorp Consul
Service Mesh & Discovery · X-Forwarded-User (proxy-level auth)
HashiCorp Vault UI
Secrets Management · X-Forwarded-User (defense-in-depth)
Rancher
Kubernetes Management · X-Forwarded-User / Authorization
Backstage
Developer Portal · X-Forwarded-User / Authorization
Outline
Team Knowledge Base · X-Forwarded-User / Authorization
Uptime Kuma
Uptime Monitoring · X-Forwarded-User (proxy-level auth)
WeKan
Project Management · X-Forwarded-User / HTTP-REMOTEUSER
Traefik Dashboard
Reverse Proxy & Ingress · X-Forwarded-User (via ForwardAuth)
Drone CI
CI/CD Automation · X-Forwarded-User
Metabase
Business Intelligence · X-Forwarded-User
JupyterHub
Data Science & ML · REMOTE_USER / X-Forwarded-User
code-server (VS Code)
Cloud IDE · X-Forwarded-User
BookStack
Documentation & Wiki · REMOTE_USER
Keycloak Admin Console
Identity & Access Management · X-Forwarded-User
Proxmox VE
Virtualization & Hypervisor · X-Forwarded-User
Semaphore UI
Automation & Configuration · X-Forwarded-User
Authentik
Identity & Access Management · X-Forwarded-User
Node-RED
IoT & Workflow Automation · X-Forwarded-User
Woodpecker CI
CI/CD Automation · X-Forwarded-User
NocoDB
No-Code Database · X-Forwarded-User
Homer Dashboard
Service Dashboard · X-Forwarded-User
OpenProject
Project Management · X-Forwarded-User / REMOTE_USER

Ready to Secure AWX / Ansible Automation Platform with SSO + Zero-Day Protection?

Deploy OnePAM in minutes — no AWX / Ansible Automation Platform code changes required. Start your free 14-day trial today.

Start Free Trial View All Supported Apps