In this Exercise-2, we will configure Keycloak for integration with Rancher
Click on the dropdown under Master and you will presented with the option "Add realm".
Provide the name "rancher" and leave rest all as default and hit "Create".
Name = rancher
Upon successful creation of the Realm - Rancher it will take you automatically page below where you can configure additional Realm settings.
Provide Display name as rancher sso and leave rest all options as default and hit save.
Display name = "rancher sso"
Under the Manage section > Users.
Click on Add user.
Username =admin
First Name = rancher
Last Name = admin
Click on Save button.
Once admin user is created, you can notice Success message.
Set the password credentials to admin user by clicking on Credentials tab.
Click Set Password
Once again you are prompted for Set password
Click on Set password
Now test the admin user login using account-console - Base URL
Home > Configure > Clients > account-console > Base URL
Copy and past Base URL in your browser
Click on Sign In
You would be presented with login window for Keycloak
Provide admin user and password credentials (which were set in the previous step) for login
Upon success login, you will be prompted to reset your admin password, you may choose password of your choice.
Upon successful authentication you will be presented to Keycloak Account Management page.
Click on Sign Out to Exit
Now create new client rancher
Home > Configure > Clients > Create
Create / Name the following as below
Client ID = rancher
Client Protocol = openid-connect
Rest all default and click on Save
You will be presented with a Success message and you will presented with the settings tab
Create / Name the following as below
Client ID = rancher
Name = rancher sso
Client Protocol = openid-connect
Access Type = confidential
Keep rest all as default
The next step will involve Rancher UI.
Switch to Rancher UI (for login credentials please refer to Exercise-1)
Home > Configuration > Users and Authentication > Auth Provider > Keycloak (OIDC)
Under Endpoints, look for Rancher URL and copy the URL.
Switch back to Keycloak UI
Look for Valid Redirect URIs option and paste the Rancher URL copied from Rancher UI.
Keep rest all setting as default
Click on Save
Upon completion you will be provided with Success message.
Now copy the Secret value under Credentials Tab
Home > Configure > Clients > Rancher > Credentials
Switch Rancher UI window and paste the secret as Client Secret as shown below
Now create Mappers in Keycloak
Switch to Keycloak UI window and click on Mappers Tab
Home > Configure > Clients > Rancher > Mappers
Click Create button
Create / Name as below
Name = Groups Mapper
Mapper Type = Group Membership
Token Claim Name = groups
Full group path = OFF
Add to ID token = OFF
Add to access token = OFF
Add to userinfo = ON
Click on Save
Upon completion, you will provide with Success message
Click on Create button again
Create / Name as below
Name = Client Audience
Mapper Type = Audience
Included Client Audience = rancher (use dropdown for client selection )
Add to ID token = OFF
Add to access token = ON
Click on Save
You will presented with Success message as below
Click on Create button
Create / Name as below
Name = Group Path
Mapper Type = Group Membership (select from dropdown list)
Token Claim Name = full_group_path
Full group path = ON
Add to ID token = OFF
Add to access token = OFF
Add to userinfo = ON
Click on Save
You will presented with Success message as below
Finally all 3 Mappers are added as below
Groups Mapper
Client Audience
Group Path
For detail documentation, please refer to link below
https://rancher.com/docs/rancher/v2.6/en/admin-settings/authentication/keycloak-oidc/
With this, we have successfully completed all required steps in Exercise 2: Configure Keycloak
We are ready to move to the Exercise 3: Exercise-3-Integrate-Rancher-with-Keycloak