mirror of
https://github.com/rancher/rancher-docs.git
synced 2026-03-14 13:24:12 +00:00
Explain SAML and OpenLDAP Group Permissions (#2225)
* Add SamlOpenLDAPGroupPermissions shared file * Add SamlOpenLDAPGroupPermissions shared file to Configure Keycloak (SAML) page * Add SamlOpenLDAPGroupPermissions shared file to Configure Okta (SAML) page * Add SamlOpenLDAPGroupPermissions shared file to Configure PingIdentity (SAML) page * Add SamlOpenLDAPGroupPermissions shared file to Configuring Rancher for Microsoft AD FS page * Add SamlOpenLDAPGroupPermissions shared file to Group Permissions with Shibboleth and OpenLDAP page * Add SamlOpenLDAPGroupPermissions shared file to other versions of Configure Keycloak (SAML) page * Add SamlOpenLDAPGroupPermissions shared file to other versions of Configure Okta (SAML) page * Add SamlOpenLDAPGroupPermissions shared file to other versions Configure PingIdentity (SAML) page * Add SamlOpenLDAPGroupPermissions shared file to other versions of Configuring Rancher for Microsoft AD FS page * Add SamlOpenLDAPGroupPermissions shared file to other versions of Group Permissions with Shibboleth and OpenLDAP page
This commit is contained in:
Lucas Saintarbor
GitHub
@@ -196,3 +196,7 @@ Try configuring and saving keycloak as your SAML provider and then accessing the
|
||||
## Configuring SAML Single Logout (SLO)
|
||||
|
||||
<ConfigureSLO />
|
||||
|
||||
## SAML and OpenLDAP Group Permissions
|
||||
|
||||
<SamlOpenLDAPGroupPermissions />
|
||||
|
||||
@@ -112,3 +112,7 @@ If you experience issues when you test the connection to the OpenLDAP server, en
|
||||
## Configuring SAML Single Logout (SLO)
|
||||
|
||||
<ConfigureSLO />
|
||||
|
||||
## SAML and OpenLDAP Group Permissions
|
||||
|
||||
<SamlOpenLDAPGroupPermissions />
|
||||
@@ -68,3 +68,7 @@ Note that these URLs will not return valid data until the authentication configu
|
||||
## Configuring SAML Single Logout (SLO)
|
||||
|
||||
<ConfigureSLO />
|
||||
|
||||
## SAML and OpenLDAP Group Permissions
|
||||
|
||||
<SamlOpenLDAPGroupPermissions />
|
||||
|
||||
@@ -55,3 +55,7 @@ openssl req -x509 -newkey rsa:2048 -keyout myservice.key -out myservice.cert -da
|
||||
## Configuring SAML Single Logout (SLO)
|
||||
|
||||
<ConfigureSLO />
|
||||
|
||||
## SAML and OpenLDAP Group Permissions
|
||||
|
||||
<SamlOpenLDAPGroupPermissions />
|
||||
@@ -10,14 +10,14 @@ Because Shibboleth is a SAML provider, it doesn't support searching for groups.
|
||||
|
||||
One solution to this problem is to configure an OpenLDAP identity provider. With an OpenLDAP back end for Shibboleth, you will be able to search for groups in Rancher and assign them to resources such as clusters, projects, or namespaces from the Rancher UI.
|
||||
|
||||
### Terminology
|
||||
## Terminology
|
||||
|
||||
- **Shibboleth** is a single sign-on log-in system for computer networks and the Internet. It allows people to sign in using just one identity to various systems. It validates user credentials, but does not, on its own, handle group memberships.
|
||||
- **SAML:** Security Assertion Markup Language, an open standard for exchanging authentication and authorization data between an identity provider and a service provider.
|
||||
- **OpenLDAP:** a free, open-source implementation of the Lightweight Directory Access Protocol (LDAP). It is used to manage an organization’s computers and users. OpenLDAP is useful for Rancher users because it supports groups. In Rancher, it is possible to assign permissions to groups so that they can access resources such as clusters, projects, or namespaces, as long as the groups already exist in the identity provider.
|
||||
- **IdP or IDP:** An identity provider. OpenLDAP is an example of an identity provider.
|
||||
|
||||
### Adding OpenLDAP Group Permissions to Rancher Resources
|
||||
## Adding OpenLDAP Group Permissions to Rancher Resources
|
||||
|
||||
The diagram below illustrates how members of an OpenLDAP group can access resources in Rancher that the group has permissions for.
|
||||
|
||||
@@ -30,3 +30,7 @@ When a member of the OpenLDAP group logs in to Rancher, she is redirected to Shi
|
||||
Shibboleth validates her credentials, and retrieves user attributes from OpenLDAP, including groups. Then Shibboleth sends a SAML assertion to Rancher including the user attributes. Rancher uses the group data so that she can access all of the resources and permissions that her groups have permissions for.
|
||||
|
||||
|
||||
|
||||
## SAML and OpenLDAP Group Permissions
|
||||
|
||||
<SamlOpenLDAPGroupPermissions />
|
||||
|
||||
@@ -192,3 +192,7 @@ openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout myservice.ke
|
||||
## Configuring SAML Single Logout (SLO)
|
||||
|
||||
<ConfigureSLO />
|
||||
|
||||
## SAML and OpenLDAP Group Permissions
|
||||
|
||||
<SamlOpenLDAPGroupPermissions />
|
||||
|
||||
@@ -109,3 +109,7 @@ OpenLDAP ServiceAccount 用于所有搜索。无论用户个人的 SAML 权限
|
||||
## Configuring SAML Single Logout (SLO)
|
||||
|
||||
<ConfigureSLO />
|
||||
|
||||
## SAML and OpenLDAP Group Permissions
|
||||
|
||||
<SamlOpenLDAPGroupPermissions />
|
||||
|
||||
@@ -64,3 +64,7 @@ title: 配置 PingIdentity (SAML)
|
||||
## Configuring SAML Single Logout (SLO)
|
||||
|
||||
<ConfigureSLO />
|
||||
|
||||
## SAML and OpenLDAP Group Permissions
|
||||
|
||||
<SamlOpenLDAPGroupPermissions />
|
||||
|
||||
@@ -55,3 +55,7 @@ openssl req -x509 -newkey rsa:2048 -keyout myservice.key -out myservice.cert -da
|
||||
## Configuring SAML Single Logout (SLO)
|
||||
|
||||
<ConfigureSLO />
|
||||
|
||||
## SAML and OpenLDAP Group Permissions
|
||||
|
||||
<SamlOpenLDAPGroupPermissions />
|
||||
|
||||
@@ -30,3 +30,7 @@ title: Shibboleth 和 OpenLDAP 的组权限
|
||||
Shibboleth 会验证用户的凭证,并从 OpenLDAP 检索用户属性,其中包括用户所在的组信息。然后 Shibboleth 将向 Rancher 发送一个包含用户属性的 SAML 断言。Rancher 会使用组数据,以便用户可以访问他所在的组有权访问的所有资源。
|
||||
|
||||
|
||||
|
||||
## SAML and OpenLDAP Group Permissions
|
||||
|
||||
<SamlOpenLDAPGroupPermissions />
|
||||
|
||||
@@ -192,3 +192,7 @@ openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout myservice.ke
|
||||
## Configuring SAML Single Logout (SLO)
|
||||
|
||||
<ConfigureSLO />
|
||||
|
||||
## SAML and OpenLDAP Group Permissions
|
||||
|
||||
<SamlOpenLDAPGroupPermissions />
|
||||
|
||||
@@ -109,3 +109,7 @@ OpenLDAP ServiceAccount 用于所有搜索。无论用户个人的 SAML 权限
|
||||
## Configuring SAML Single Logout (SLO)
|
||||
|
||||
<ConfigureSLO />
|
||||
|
||||
## SAML and OpenLDAP Group Permissions
|
||||
|
||||
<SamlOpenLDAPGroupPermissions />
|
||||
|
||||
@@ -64,3 +64,7 @@ title: 配置 PingIdentity (SAML)
|
||||
## Configuring SAML Single Logout (SLO)
|
||||
|
||||
<ConfigureSLO />
|
||||
|
||||
## SAML and OpenLDAP Group Permissions
|
||||
|
||||
<SamlOpenLDAPGroupPermissions />
|
||||
|
||||
@@ -55,3 +55,7 @@ openssl req -x509 -newkey rsa:2048 -keyout myservice.key -out myservice.cert -da
|
||||
## Configuring SAML Single Logout (SLO)
|
||||
|
||||
<ConfigureSLO />
|
||||
|
||||
## SAML and OpenLDAP Group Permissions
|
||||
|
||||
<SamlOpenLDAPGroupPermissions />
|
||||
|
||||
@@ -30,3 +30,7 @@ title: Shibboleth 和 OpenLDAP 的组权限
|
||||
Shibboleth 会验证用户的凭证,并从 OpenLDAP 检索用户属性,其中包括用户所在的组信息。然后 Shibboleth 将向 Rancher 发送一个包含用户属性的 SAML 断言。Rancher 会使用组数据,以便用户可以访问他所在的组有权访问的所有资源。
|
||||
|
||||
|
||||
|
||||
## SAML and OpenLDAP Group Permissions
|
||||
|
||||
<SamlOpenLDAPGroupPermissions />
|
||||
|
||||
@@ -192,3 +192,7 @@ openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout myservice.ke
|
||||
## Configuring SAML Single Logout (SLO)
|
||||
|
||||
<ConfigureSLO />
|
||||
|
||||
## SAML and OpenLDAP Group Permissions
|
||||
|
||||
<SamlOpenLDAPGroupPermissions />
|
||||
|
||||
@@ -109,3 +109,7 @@ OpenLDAP ServiceAccount 用于所有搜索。无论用户个人的 SAML 权限
|
||||
## Configuring SAML Single Logout (SLO)
|
||||
|
||||
<ConfigureSLO />
|
||||
|
||||
## SAML and OpenLDAP Group Permissions
|
||||
|
||||
<SamlOpenLDAPGroupPermissions />
|
||||
|
||||
@@ -64,3 +64,7 @@ title: 配置 PingIdentity (SAML)
|
||||
## Configuring SAML Single Logout (SLO)
|
||||
|
||||
<ConfigureSLO />
|
||||
|
||||
## SAML and OpenLDAP Group Permissions
|
||||
|
||||
<SamlOpenLDAPGroupPermissions />
|
||||
|
||||
@@ -55,3 +55,7 @@ openssl req -x509 -newkey rsa:2048 -keyout myservice.key -out myservice.cert -da
|
||||
## Configuring SAML Single Logout (SLO)
|
||||
|
||||
<ConfigureSLO />
|
||||
|
||||
## SAML and OpenLDAP Group Permissions
|
||||
|
||||
<SamlOpenLDAPGroupPermissions />
|
||||
|
||||
@@ -30,3 +30,7 @@ title: Shibboleth 和 OpenLDAP 的组权限
|
||||
Shibboleth 会验证用户的凭证,并从 OpenLDAP 检索用户属性,其中包括用户所在的组信息。然后 Shibboleth 将向 Rancher 发送一个包含用户属性的 SAML 断言。Rancher 会使用组数据,以便用户可以访问他所在的组有权访问的所有资源。
|
||||
|
||||
|
||||
|
||||
## SAML and OpenLDAP Group Permissions
|
||||
|
||||
<SamlOpenLDAPGroupPermissions />
|
||||
|
||||
@@ -192,3 +192,7 @@ openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout myservice.ke
|
||||
## Configuring SAML Single Logout (SLO)
|
||||
|
||||
<ConfigureSLO />
|
||||
|
||||
## SAML and OpenLDAP Group Permissions
|
||||
|
||||
<SamlOpenLDAPGroupPermissions />
|
||||
|
||||
@@ -109,3 +109,7 @@ OpenLDAP ServiceAccount 用于所有搜索。无论用户个人的 SAML 权限
|
||||
## Configuring SAML Single Logout (SLO)
|
||||
|
||||
<ConfigureSLO />
|
||||
|
||||
## SAML and OpenLDAP Group Permissions
|
||||
|
||||
<SamlOpenLDAPGroupPermissions />
|
||||
|
||||
@@ -64,3 +64,7 @@ title: 配置 PingIdentity (SAML)
|
||||
## Configuring SAML Single Logout (SLO)
|
||||
|
||||
<ConfigureSLO />
|
||||
|
||||
## SAML and OpenLDAP Group Permissions
|
||||
|
||||
<SamlOpenLDAPGroupPermissions />
|
||||
|
||||
@@ -55,3 +55,7 @@ openssl req -x509 -newkey rsa:2048 -keyout myservice.key -out myservice.cert -da
|
||||
## Configuring SAML Single Logout (SLO)
|
||||
|
||||
<ConfigureSLO />
|
||||
|
||||
## SAML and OpenLDAP Group Permissions
|
||||
|
||||
<SamlOpenLDAPGroupPermissions />
|
||||
|
||||
@@ -30,3 +30,7 @@ title: Shibboleth 和 OpenLDAP 的组权限
|
||||
Shibboleth 会验证用户的凭证,并从 OpenLDAP 检索用户属性,其中包括用户所在的组信息。然后 Shibboleth 将向 Rancher 发送一个包含用户属性的 SAML 断言。Rancher 会使用组数据,以便用户可以访问他所在的组有权访问的所有资源。
|
||||
|
||||
|
||||
|
||||
## SAML and OpenLDAP Group Permissions
|
||||
|
||||
<SamlOpenLDAPGroupPermissions />
|
||||
|
||||
@@ -192,3 +192,7 @@ openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout myservice.ke
|
||||
## Configuring SAML Single Logout (SLO)
|
||||
|
||||
<ConfigureSLO />
|
||||
|
||||
## SAML and OpenLDAP Group Permissions
|
||||
|
||||
<SamlOpenLDAPGroupPermissions />
|
||||
|
||||
@@ -109,3 +109,7 @@ OpenLDAP ServiceAccount 用于所有搜索。无论用户个人的 SAML 权限
|
||||
## Configuring SAML Single Logout (SLO)
|
||||
|
||||
<ConfigureSLO />
|
||||
|
||||
## SAML and OpenLDAP Group Permissions
|
||||
|
||||
<SamlOpenLDAPGroupPermissions />
|
||||
|
||||
@@ -64,3 +64,7 @@ title: 配置 PingIdentity (SAML)
|
||||
## Configuring SAML Single Logout (SLO)
|
||||
|
||||
<ConfigureSLO />
|
||||
|
||||
## SAML and OpenLDAP Group Permissions
|
||||
|
||||
<SamlOpenLDAPGroupPermissions />
|
||||
|
||||
@@ -55,3 +55,7 @@ openssl req -x509 -newkey rsa:2048 -keyout myservice.key -out myservice.cert -da
|
||||
## Configuring SAML Single Logout (SLO)
|
||||
|
||||
<ConfigureSLO />
|
||||
|
||||
## SAML and OpenLDAP Group Permissions
|
||||
|
||||
<SamlOpenLDAPGroupPermissions />
|
||||
|
||||
@@ -30,3 +30,7 @@ title: Shibboleth 和 OpenLDAP 的组权限
|
||||
Shibboleth 会验证用户的凭证,并从 OpenLDAP 检索用户属性,其中包括用户所在的组信息。然后 Shibboleth 将向 Rancher 发送一个包含用户属性的 SAML 断言。Rancher 会使用组数据,以便用户可以访问他所在的组有权访问的所有资源。
|
||||
|
||||
|
||||
|
||||
## SAML and OpenLDAP Group Permissions
|
||||
|
||||
<SamlOpenLDAPGroupPermissions />
|
||||
|
||||
@@ -192,3 +192,7 @@ openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout myservice.ke
|
||||
## Configuring SAML Single Logout (SLO)
|
||||
|
||||
<ConfigureSLO />
|
||||
|
||||
## SAML and OpenLDAP Group Permissions
|
||||
|
||||
<SamlOpenLDAPGroupPermissions />
|
||||
|
||||
@@ -109,3 +109,7 @@ OpenLDAP ServiceAccount 用于所有搜索。无论用户个人的 SAML 权限
|
||||
## Configuring SAML Single Logout (SLO)
|
||||
|
||||
<ConfigureSLO />
|
||||
|
||||
## SAML and OpenLDAP Group Permissions
|
||||
|
||||
<SamlOpenLDAPGroupPermissions />
|
||||
|
||||
@@ -64,3 +64,7 @@ title: 配置 PingIdentity (SAML)
|
||||
## Configuring SAML Single Logout (SLO)
|
||||
|
||||
<ConfigureSLO />
|
||||
|
||||
## SAML and OpenLDAP Group Permissions
|
||||
|
||||
<SamlOpenLDAPGroupPermissions />
|
||||
|
||||
@@ -55,3 +55,7 @@ openssl req -x509 -newkey rsa:2048 -keyout myservice.key -out myservice.cert -da
|
||||
## Configuring SAML Single Logout (SLO)
|
||||
|
||||
<ConfigureSLO />
|
||||
|
||||
## SAML and OpenLDAP Group Permissions
|
||||
|
||||
<SamlOpenLDAPGroupPermissions />
|
||||
|
||||
@@ -30,3 +30,7 @@ title: Shibboleth 和 OpenLDAP 的组权限
|
||||
Shibboleth 会验证用户的凭证,并从 OpenLDAP 检索用户属性,其中包括用户所在的组信息。然后 Shibboleth 将向 Rancher 发送一个包含用户属性的 SAML 断言。Rancher 会使用组数据,以便用户可以访问他所在的组有权访问的所有资源。
|
||||
|
||||
|
||||
|
||||
## SAML and OpenLDAP Group Permissions
|
||||
|
||||
<SamlOpenLDAPGroupPermissions />
|
||||
|
||||
11
shared-files/_saml-openldap-group-permissions.md
Normal file
11
shared-files/_saml-openldap-group-permissions.md
Normal file
@@ -0,0 +1,11 @@
|
||||
When you configure a SAML authentication provider backed by OpenLDAP, the SAML response might return only a subset of the groups that a user belongs to. The exact groups returned depend on the configuration of your external authentication provider.
|
||||
|
||||
Rancher assigns user permissions based strictly on the groups provided in the SAML response.
|
||||
|
||||
:::note
|
||||
|
||||
Even if you can search for and view specific OpenLDAP groups in the Rancher UI, you cannot use them to assign permissions if they are missing from the SAML response.
|
||||
|
||||
To assign permissions successfully, verify that your SAML authentication provider is configured to return all necessary OpenLDAP groups.
|
||||
|
||||
:::
|
||||
@@ -15,6 +15,7 @@ import ConfigureSLO from '/shared-files/_configure-slo.md';
|
||||
import ConfigureSLOOidc from '/shared-files/_configure-slo-oidc.md';
|
||||
import EOLRKE1Warning from '/shared-files/_eol-rke1-warning.md';
|
||||
import PermissionsWarning from '/shared-files/_permissions-warning.md';
|
||||
import SamlOpenLDAPGroupPermissions from '/shared-files/_saml-openldap-group-permissions.md';
|
||||
|
||||
export default {
|
||||
// Re-use the default mapping
|
||||
@@ -35,4 +36,5 @@ export default {
|
||||
DockerSupportWarning,
|
||||
EOLRKE1Warning,
|
||||
PermissionsWarning,
|
||||
SamlOpenLDAPGroupPermissions,
|
||||
};
|
||||
|
||||
@@ -196,3 +196,7 @@ Try configuring and saving keycloak as your SAML provider and then accessing the
|
||||
## Configuring SAML Single Logout (SLO)
|
||||
|
||||
<ConfigureSLO />
|
||||
|
||||
## SAML and OpenLDAP Group Permissions
|
||||
|
||||
<SamlOpenLDAPGroupPermissions />
|
||||
|
||||
@@ -112,3 +112,7 @@ If you experience issues when you test the connection to the OpenLDAP server, en
|
||||
## Configuring SAML Single Logout (SLO)
|
||||
|
||||
<ConfigureSLO />
|
||||
|
||||
## SAML and OpenLDAP Group Permissions
|
||||
|
||||
<SamlOpenLDAPGroupPermissions />
|
||||
|
||||
@@ -68,3 +68,7 @@ Note that these URLs will not return valid data until the authentication configu
|
||||
## Configuring SAML Single Logout (SLO)
|
||||
|
||||
<ConfigureSLO />
|
||||
|
||||
## SAML and OpenLDAP Group Permissions
|
||||
|
||||
<SamlOpenLDAPGroupPermissions />
|
||||
|
||||
@@ -55,3 +55,7 @@ openssl req -x509 -newkey rsa:2048 -keyout myservice.key -out myservice.cert -da
|
||||
## Configuring SAML Single Logout (SLO)
|
||||
|
||||
<ConfigureSLO />
|
||||
|
||||
## SAML and OpenLDAP Group Permissions
|
||||
|
||||
<SamlOpenLDAPGroupPermissions />
|
||||
|
||||
@@ -10,14 +10,14 @@ Because Shibboleth is a SAML provider, it doesn't support searching for groups.
|
||||
|
||||
One solution to this problem is to configure an OpenLDAP identity provider. With an OpenLDAP back end for Shibboleth, you will be able to search for groups in Rancher and assign them to resources such as clusters, projects, or namespaces from the Rancher UI.
|
||||
|
||||
### Terminology
|
||||
## Terminology
|
||||
|
||||
- **Shibboleth** is a single sign-on log-in system for computer networks and the Internet. It allows people to sign in using just one identity to various systems. It validates user credentials, but does not, on its own, handle group memberships.
|
||||
- **SAML:** Security Assertion Markup Language, an open standard for exchanging authentication and authorization data between an identity provider and a service provider.
|
||||
- **OpenLDAP:** a free, open-source implementation of the Lightweight Directory Access Protocol (LDAP). It is used to manage an organization’s computers and users. OpenLDAP is useful for Rancher users because it supports groups. In Rancher, it is possible to assign permissions to groups so that they can access resources such as clusters, projects, or namespaces, as long as the groups already exist in the identity provider.
|
||||
- **IdP or IDP:** An identity provider. OpenLDAP is an example of an identity provider.
|
||||
|
||||
### Adding OpenLDAP Group Permissions to Rancher Resources
|
||||
## Adding OpenLDAP Group Permissions to Rancher Resources
|
||||
|
||||
The diagram below illustrates how members of an OpenLDAP group can access resources in Rancher that the group has permissions for.
|
||||
|
||||
@@ -30,3 +30,7 @@ When a member of the OpenLDAP group logs in to Rancher, she is redirected to Shi
|
||||
Shibboleth validates her credentials, and retrieves user attributes from OpenLDAP, including groups. Then Shibboleth sends a SAML assertion to Rancher including the user attributes. Rancher uses the group data so that she can access all of the resources and permissions that her groups have permissions for.
|
||||
|
||||
|
||||
|
||||
## SAML and OpenLDAP Group Permissions
|
||||
|
||||
<SamlOpenLDAPGroupPermissions />
|
||||
|
||||
@@ -196,3 +196,7 @@ Try configuring and saving keycloak as your SAML provider and then accessing the
|
||||
## Configuring SAML Single Logout (SLO)
|
||||
|
||||
<ConfigureSLO />
|
||||
|
||||
## SAML and OpenLDAP Group Permissions
|
||||
|
||||
<SamlOpenLDAPGroupPermissions />
|
||||
|
||||
@@ -112,3 +112,7 @@ If you experience issues when you test the connection to the OpenLDAP server, en
|
||||
## Configuring SAML Single Logout (SLO)
|
||||
|
||||
<ConfigureSLO />
|
||||
|
||||
## SAML and OpenLDAP Group Permissions
|
||||
|
||||
<SamlOpenLDAPGroupPermissions />
|
||||
|
||||
@@ -68,3 +68,7 @@ Note that these URLs will not return valid data until the authentication configu
|
||||
## Configuring SAML Single Logout (SLO)
|
||||
|
||||
<ConfigureSLO />
|
||||
|
||||
## SAML and OpenLDAP Group Permissions
|
||||
|
||||
<SamlOpenLDAPGroupPermissions />
|
||||
|
||||
@@ -55,3 +55,7 @@ openssl req -x509 -newkey rsa:2048 -keyout myservice.key -out myservice.cert -da
|
||||
## Configuring SAML Single Logout (SLO)
|
||||
|
||||
<ConfigureSLO />
|
||||
|
||||
## SAML and OpenLDAP Group Permissions
|
||||
|
||||
<SamlOpenLDAPGroupPermissions />
|
||||
|
||||
@@ -10,14 +10,14 @@ Because Shibboleth is a SAML provider, it doesn't support searching for groups.
|
||||
|
||||
One solution to this problem is to configure an OpenLDAP identity provider. With an OpenLDAP back end for Shibboleth, you will be able to search for groups in Rancher and assign them to resources such as clusters, projects, or namespaces from the Rancher UI.
|
||||
|
||||
### Terminology
|
||||
## Terminology
|
||||
|
||||
- **Shibboleth** is a single sign-on log-in system for computer networks and the Internet. It allows people to sign in using just one identity to various systems. It validates user credentials, but does not, on its own, handle group memberships.
|
||||
- **SAML:** Security Assertion Markup Language, an open standard for exchanging authentication and authorization data between an identity provider and a service provider.
|
||||
- **OpenLDAP:** a free, open-source implementation of the Lightweight Directory Access Protocol (LDAP). It is used to manage an organization’s computers and users. OpenLDAP is useful for Rancher users because it supports groups. In Rancher, it is possible to assign permissions to groups so that they can access resources such as clusters, projects, or namespaces, as long as the groups already exist in the identity provider.
|
||||
- **IdP or IDP:** An identity provider. OpenLDAP is an example of an identity provider.
|
||||
|
||||
### Adding OpenLDAP Group Permissions to Rancher Resources
|
||||
## Adding OpenLDAP Group Permissions to Rancher Resources
|
||||
|
||||
The diagram below illustrates how members of an OpenLDAP group can access resources in Rancher that the group has permissions for.
|
||||
|
||||
@@ -30,3 +30,7 @@ When a member of the OpenLDAP group logs in to Rancher, she is redirected to Shi
|
||||
Shibboleth validates her credentials, and retrieves user attributes from OpenLDAP, including groups. Then Shibboleth sends a SAML assertion to Rancher including the user attributes. Rancher uses the group data so that she can access all of the resources and permissions that her groups have permissions for.
|
||||
|
||||
|
||||
|
||||
## SAML and OpenLDAP Group Permissions
|
||||
|
||||
<SamlOpenLDAPGroupPermissions />
|
||||
|
||||
@@ -196,3 +196,7 @@ Try configuring and saving keycloak as your SAML provider and then accessing the
|
||||
## Configuring SAML Single Logout (SLO)
|
||||
|
||||
<ConfigureSLO />
|
||||
|
||||
## SAML and OpenLDAP Group Permissions
|
||||
|
||||
<SamlOpenLDAPGroupPermissions />
|
||||
|
||||
@@ -112,3 +112,7 @@ If you experience issues when you test the connection to the OpenLDAP server, en
|
||||
## Configuring SAML Single Logout (SLO)
|
||||
|
||||
<ConfigureSLO />
|
||||
|
||||
## SAML and OpenLDAP Group Permissions
|
||||
|
||||
<SamlOpenLDAPGroupPermissions />
|
||||
|
||||
@@ -68,3 +68,7 @@ Note that these URLs will not return valid data until the authentication configu
|
||||
## Configuring SAML Single Logout (SLO)
|
||||
|
||||
<ConfigureSLO />
|
||||
|
||||
## SAML and OpenLDAP Group Permissions
|
||||
|
||||
<SamlOpenLDAPGroupPermissions />
|
||||
|
||||
@@ -55,3 +55,7 @@ openssl req -x509 -newkey rsa:2048 -keyout myservice.key -out myservice.cert -da
|
||||
## Configuring SAML Single Logout (SLO)
|
||||
|
||||
<ConfigureSLO />
|
||||
|
||||
## SAML and OpenLDAP Group Permissions
|
||||
|
||||
<SamlOpenLDAPGroupPermissions />
|
||||
|
||||
@@ -10,14 +10,14 @@ Because Shibboleth is a SAML provider, it doesn't support searching for groups.
|
||||
|
||||
One solution to this problem is to configure an OpenLDAP identity provider. With an OpenLDAP back end for Shibboleth, you will be able to search for groups in Rancher and assign them to resources such as clusters, projects, or namespaces from the Rancher UI.
|
||||
|
||||
### Terminology
|
||||
## Terminology
|
||||
|
||||
- **Shibboleth** is a single sign-on log-in system for computer networks and the Internet. It allows people to sign in using just one identity to various systems. It validates user credentials, but does not, on its own, handle group memberships.
|
||||
- **SAML:** Security Assertion Markup Language, an open standard for exchanging authentication and authorization data between an identity provider and a service provider.
|
||||
- **OpenLDAP:** a free, open-source implementation of the Lightweight Directory Access Protocol (LDAP). It is used to manage an organization’s computers and users. OpenLDAP is useful for Rancher users because it supports groups. In Rancher, it is possible to assign permissions to groups so that they can access resources such as clusters, projects, or namespaces, as long as the groups already exist in the identity provider.
|
||||
- **IdP or IDP:** An identity provider. OpenLDAP is an example of an identity provider.
|
||||
|
||||
### Adding OpenLDAP Group Permissions to Rancher Resources
|
||||
## Adding OpenLDAP Group Permissions to Rancher Resources
|
||||
|
||||
The diagram below illustrates how members of an OpenLDAP group can access resources in Rancher that the group has permissions for.
|
||||
|
||||
@@ -30,3 +30,7 @@ When a member of the OpenLDAP group logs in to Rancher, she is redirected to Shi
|
||||
Shibboleth validates her credentials, and retrieves user attributes from OpenLDAP, including groups. Then Shibboleth sends a SAML assertion to Rancher including the user attributes. Rancher uses the group data so that she can access all of the resources and permissions that her groups have permissions for.
|
||||
|
||||
|
||||
|
||||
## SAML and OpenLDAP Group Permissions
|
||||
|
||||
<SamlOpenLDAPGroupPermissions />
|
||||
|
||||
@@ -196,3 +196,7 @@ Try configuring and saving keycloak as your SAML provider and then accessing the
|
||||
## Configuring SAML Single Logout (SLO)
|
||||
|
||||
<ConfigureSLO />
|
||||
|
||||
## SAML and OpenLDAP Group Permissions
|
||||
|
||||
<SamlOpenLDAPGroupPermissions />
|
||||
|
||||
@@ -112,3 +112,7 @@ If you experience issues when you test the connection to the OpenLDAP server, en
|
||||
## Configuring SAML Single Logout (SLO)
|
||||
|
||||
<ConfigureSLO />
|
||||
|
||||
## SAML and OpenLDAP Group Permissions
|
||||
|
||||
<SamlOpenLDAPGroupPermissions />
|
||||
|
||||
@@ -68,3 +68,7 @@ Note that these URLs will not return valid data until the authentication configu
|
||||
## Configuring SAML Single Logout (SLO)
|
||||
|
||||
<ConfigureSLO />
|
||||
|
||||
## SAML and OpenLDAP Group Permissions
|
||||
|
||||
<SamlOpenLDAPGroupPermissions />
|
||||
|
||||
@@ -55,3 +55,7 @@ openssl req -x509 -newkey rsa:2048 -keyout myservice.key -out myservice.cert -da
|
||||
## Configuring SAML Single Logout (SLO)
|
||||
|
||||
<ConfigureSLO />
|
||||
|
||||
## SAML and OpenLDAP Group Permissions
|
||||
|
||||
<SamlOpenLDAPGroupPermissions />
|
||||
|
||||
@@ -10,14 +10,14 @@ Because Shibboleth is a SAML provider, it doesn't support searching for groups.
|
||||
|
||||
One solution to this problem is to configure an OpenLDAP identity provider. With an OpenLDAP back end for Shibboleth, you will be able to search for groups in Rancher and assign them to resources such as clusters, projects, or namespaces from the Rancher UI.
|
||||
|
||||
### Terminology
|
||||
## Terminology
|
||||
|
||||
- **Shibboleth** is a single sign-on log-in system for computer networks and the Internet. It allows people to sign in using just one identity to various systems. It validates user credentials, but does not, on its own, handle group memberships.
|
||||
- **SAML:** Security Assertion Markup Language, an open standard for exchanging authentication and authorization data between an identity provider and a service provider.
|
||||
- **OpenLDAP:** a free, open-source implementation of the Lightweight Directory Access Protocol (LDAP). It is used to manage an organization’s computers and users. OpenLDAP is useful for Rancher users because it supports groups. In Rancher, it is possible to assign permissions to groups so that they can access resources such as clusters, projects, or namespaces, as long as the groups already exist in the identity provider.
|
||||
- **IdP or IDP:** An identity provider. OpenLDAP is an example of an identity provider.
|
||||
|
||||
### Adding OpenLDAP Group Permissions to Rancher Resources
|
||||
## Adding OpenLDAP Group Permissions to Rancher Resources
|
||||
|
||||
The diagram below illustrates how members of an OpenLDAP group can access resources in Rancher that the group has permissions for.
|
||||
|
||||
@@ -30,3 +30,7 @@ When a member of the OpenLDAP group logs in to Rancher, she is redirected to Shi
|
||||
Shibboleth validates her credentials, and retrieves user attributes from OpenLDAP, including groups. Then Shibboleth sends a SAML assertion to Rancher including the user attributes. Rancher uses the group data so that she can access all of the resources and permissions that her groups have permissions for.
|
||||
|
||||
|
||||
|
||||
## SAML and OpenLDAP Group Permissions
|
||||
|
||||
<SamlOpenLDAPGroupPermissions />
|
||||
|
||||
@@ -196,3 +196,7 @@ Try configuring and saving keycloak as your SAML provider and then accessing the
|
||||
## Configuring SAML Single Logout (SLO)
|
||||
|
||||
<ConfigureSLO />
|
||||
|
||||
## SAML and OpenLDAP Group Permissions
|
||||
|
||||
<SamlOpenLDAPGroupPermissions />
|
||||
|
||||
@@ -112,3 +112,7 @@ If you experience issues when you test the connection to the OpenLDAP server, en
|
||||
## Configuring SAML Single Logout (SLO)
|
||||
|
||||
<ConfigureSLO />
|
||||
|
||||
## SAML and OpenLDAP Group Permissions
|
||||
|
||||
<SamlOpenLDAPGroupPermissions />
|
||||
@@ -68,3 +68,7 @@ Note that these URLs will not return valid data until the authentication configu
|
||||
## Configuring SAML Single Logout (SLO)
|
||||
|
||||
<ConfigureSLO />
|
||||
|
||||
## SAML and OpenLDAP Group Permissions
|
||||
|
||||
<SamlOpenLDAPGroupPermissions />
|
||||
@@ -55,3 +55,7 @@ openssl req -x509 -newkey rsa:2048 -keyout myservice.key -out myservice.cert -da
|
||||
## Configuring SAML Single Logout (SLO)
|
||||
|
||||
<ConfigureSLO />
|
||||
|
||||
## SAML and OpenLDAP Group Permissions
|
||||
|
||||
<SamlOpenLDAPGroupPermissions />
|
||||
|
||||
@@ -10,14 +10,14 @@ Because Shibboleth is a SAML provider, it doesn't support searching for groups.
|
||||
|
||||
One solution to this problem is to configure an OpenLDAP identity provider. With an OpenLDAP back end for Shibboleth, you will be able to search for groups in Rancher and assign them to resources such as clusters, projects, or namespaces from the Rancher UI.
|
||||
|
||||
### Terminology
|
||||
## Terminology
|
||||
|
||||
- **Shibboleth** is a single sign-on log-in system for computer networks and the Internet. It allows people to sign in using just one identity to various systems. It validates user credentials, but does not, on its own, handle group memberships.
|
||||
- **SAML:** Security Assertion Markup Language, an open standard for exchanging authentication and authorization data between an identity provider and a service provider.
|
||||
- **OpenLDAP:** a free, open-source implementation of the Lightweight Directory Access Protocol (LDAP). It is used to manage an organization’s computers and users. OpenLDAP is useful for Rancher users because it supports groups. In Rancher, it is possible to assign permissions to groups so that they can access resources such as clusters, projects, or namespaces, as long as the groups already exist in the identity provider.
|
||||
- **IdP or IDP:** An identity provider. OpenLDAP is an example of an identity provider.
|
||||
|
||||
### Adding OpenLDAP Group Permissions to Rancher Resources
|
||||
## Adding OpenLDAP Group Permissions to Rancher Resources
|
||||
|
||||
The diagram below illustrates how members of an OpenLDAP group can access resources in Rancher that the group has permissions for.
|
||||
|
||||
@@ -30,3 +30,7 @@ When a member of the OpenLDAP group logs in to Rancher, she is redirected to Shi
|
||||
Shibboleth validates her credentials, and retrieves user attributes from OpenLDAP, including groups. Then Shibboleth sends a SAML assertion to Rancher including the user attributes. Rancher uses the group data so that she can access all of the resources and permissions that her groups have permissions for.
|
||||
|
||||
|
||||
|
||||
## SAML and OpenLDAP Group Permissions
|
||||
|
||||
<SamlOpenLDAPGroupPermissions />
|
||||
Reference in New Issue
Block a user