Skip to content

Latest commit

 

History

History
61 lines (46 loc) · 3.37 KB

auth-providers.md

File metadata and controls

61 lines (46 loc) · 3.37 KB
Raw

Auth Providers

Github

Developer Set up

Follow the in-dashboard instructions when configuring a Github auth provider.

Multiple GitHub auth configs

The auth system supports multiple GitHub auth URLs and using the appropriate one based on the Host header that a request comes in on. Configuring this is not exposed in the regular UI, but is particularly useful for development against a server that already has GitHub setup.

In management.cattle.io.authconfig, edit the github entry. Add a hostnameToClientId map of Host header value -> GitHub client ID:

hostnameToClientId:
  "localhost:8005": <your GitHub Client ID for localhost:8005>

In the secret, namespace cattle-global-data, edit githubconfig-clientsecret. Add GitHub client ID -> base64-encoded client secret to the data section:

data:
  clientsecret: <the normal client secret already configured>
  <your client id>: <your base64-encoded client secret for localhost:8005>

Keycloak

Developer Set Up (SAML)

Use the steps below to set up a Keycloak instance for dev environments and configure an Auth Provider for it.

  1. Bring up a local Keycloak instance in docker using the instructions at here.

    Ensure that the admin user has a first name, last name and email. These fields are referenced in the Keycloak client's mappers which are then referenced in the Rancher's auth provider config.

    Double check the client has the correct checkboxes set, specifically the Mappers group entry.

  2. Using either the Ember or Vue UI set up the Keycloak auth provider by follow the instructions at here

    Field Value
    Display Name Field givenName
    User Name Field email
    UID Field email
    Groups Field member
    Entity ID Field Depending on Rancher API Url. For instance when running Dashboard locally https://192.168.86.26:8005/v1-saml/keycloak/saml/metadata
    Rancher API Host Depending on Rancher API Url. For instance when running Dashboard locally https://192.168.86.26:8005/
    Private Key For key and cert files, export the Client in the Keycloak UI via the Clients list page and extract & wrap the saml.signing.certificate and saml.signing.private.key as cert files (see step 5 for more info).
    Certificate See Private Key section above
    Metadata For the SAML Metadata, download as per Rancher docs. Be sure to follow the NOTE instructions regarding EntitiesDescriptor and EntityDescriptor. For a better set of instructions see step 6

Developer Set Up (OIDC)

  1. In Vue UI set up the Keycloak OIDC provider with the following values
    Field Value
    Client ID Find via the keycloak console
    Client Secret Find via the keycloak console (client's credentials tab)
    Private Key (optional)
    Certificate (optional)
    Keycloak URL URL of keycloak instance (no path)
    Keycloak Realm Find via the keycloak console (above menu on left or in path after /realms/)

The user used when enabling the provider must be an Admin or in a group