Continental Innovates with Rancher and Kubernetes
Available as of v2.1.0
If your organization uses Keycloak Identity Provider (IdP) for user authentication, you can configure Rancher to allow your users to log in using their IdP credentials.
In Keycloak, create a new SAML client, with the settings below. See the Keycloak documentation for help.
Sign Documents
ON
Sign Assertions
ON/OFF
OFF
Client ID
https://yourRancherHostURL/v1-saml/keycloak/saml/metadata
Entry ID Field
Client Name
rancher
Client Protocol
SAML
Valid Redirect URI
https://yourRancherHostURL/v1-saml/keycloak/saml/acs
1: Optionally, you can enable either one or both of these settings. 2: Rancher SAML metadata won’t be generated until a SAML provider is configured and saved.
metadata.xml
Installation
SAML Metadata IDPSSODescriptor
Note Keycloak versions 6.0.0 and up no longer provide the IDP metadata under the Installation tab. You can still get the XML from the following url: https://{KEYCLOAK-URL}/auth/realms/{REALM-NAME}/protocol/saml/descriptor The XML obtained from this URL contains EntitiesDescriptor as the root element. Rancher expects the root element to be EntityDescriptor rather than EntitiesDescriptor. So before passing this XML to Rancher, follow these steps to adjust it: Copy all the attributes from EntitiesDescriptor to the EntityDescriptor that are not present. Remove the <EntitiesDescriptor> tag from the beginning. Remove the </EntitiesDescriptor> from the end of the xml. You are left with something similar as the example below: <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" entityID="https://{KEYCLOAK-URL}/auth/realms/{REALM-NAME}"> .... </EntityDescriptor>
Note Keycloak versions 6.0.0 and up no longer provide the IDP metadata under the Installation tab. You can still get the XML from the following url:
https://{KEYCLOAK-URL}/auth/realms/{REALM-NAME}/protocol/saml/descriptor
The XML obtained from this URL contains EntitiesDescriptor as the root element. Rancher expects the root element to be EntityDescriptor rather than EntitiesDescriptor. So before passing this XML to Rancher, follow these steps to adjust it:
EntitiesDescriptor
EntityDescriptor
<EntitiesDescriptor>
</EntitiesDescriptor>
You are left with something similar as the example below:
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" entityID="https://{KEYCLOAK-URL}/auth/realms/{REALM-NAME}"> .... </EntityDescriptor>
From the Global view, select Security > Authentication from the main menu.
Select Keycloak.
Complete the Configure Keycloak Account form.
givenName
email
member
Tip: You can generate a key/certificate pair using an openssl command. For example: openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout myservice.key -out myservice.cert
Tip: You can generate a key/certificate pair using an openssl command. For example:
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout myservice.key -out myservice.cert
After you complete the Configure Keycloak Account form, click Authenticate with Keycloak, which is at the bottom of the page.
Rancher redirects you to the IdP login page. Enter credentials that authenticate with Keycloak IdP to validate your Rancher Keycloak configuration.
Note: You may have to disable your popup blocker to see the IdP login page.
Result: Rancher is configured to work with Keycloak. Your users can now sign into Rancher using their Keycloak logins.
SAML Provider Caveats: SAML Protocol does not support search or lookup for users or groups. Therefore, there is no validation on users or groups when adding them to Rancher. When adding users, the exact user IDs (i.e. UID Field) must be entered correctly. As you type the user ID, there will be no search for other user IDs that may match. When adding groups, you must select the group from the drop-down that is next to the text box. Rancher assumes that any input from the text box is a user. The group drop-down shows only the groups that you are a member of. You will not be able to add groups that you are not a member of.
SAML Provider Caveats:
UID Field
When adding groups, you must select the group from the drop-down that is next to the text box. Rancher assumes that any input from the text box is a user.
If you are experiencing issues while testing the connection to the Keycloak server, first double-check the configuration option of your SAML client. You may also inspect the Rancher logs to help pinpointing the problem cause. Debug logs may contain more detailed information about the error. Please refer to How can I enable debug logging in this documentation.
When you click on Authenticate with Keycloak, your are not redirected to your IdP.
Force Post Binding
You are correctly redirected to your IdP login page and you are able to enter your credentials, however you get a Forbidden message afterwards.
Forbidden
ERROR: either the Response or Assertion must be signed
Sign assertions
This is usually due to the metadata not being created until a SAML provider is configured. Try configuring and saving keycloak as your SAML provider and then accessing the metadata.
failed: org.keycloak.common.VerificationException: Client does not have a public key
Encrypt Assertions
request validation failed: org.keycloak.common.VerificationException: SigAlg was null
Client Signature Required