From 92011309875b373dae7e68c25ce2389735ce492a Mon Sep 17 00:00:00 2001
From: Ryan Elliott-Smith <ryan@rancher.com>
Date: Tue, 17 Mar 2020 09:42:10 +1300
Subject: [PATCH] Add note to keycloak auth about saml metadata creation

---
 .../en/admin-settings/authentication/keycloak/_index.md     | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/content/rancher/v2.x/en/admin-settings/authentication/keycloak/_index.md b/content/rancher/v2.x/en/admin-settings/authentication/keycloak/_index.md
index e7350e6c96d..33a12ff83ca 100644
--- a/content/rancher/v2.x/en/admin-settings/authentication/keycloak/_index.md
+++ b/content/rancher/v2.x/en/admin-settings/authentication/keycloak/_index.md
@@ -23,6 +23,7 @@ If your organization uses Keycloak Identity Provider (IdP) for user authenticati
       `Valid Redirect URI` | `https://yourRancherHostURL/v1-saml/keycloak/saml/acs`
 
       ><sup>1</sup>: Optionally, you can enable either one or both of these settings.
+      ><sup>2</sup>: Rancher SAML metadata won't be generated until a SAML provider is configured and saved.
 - Export a `metadata.xml` file from your Keycloak client:
   From the `Installation` tab, choose the `SAML Metadata IDPSSODescriptor` format option and download your file.
 
@@ -81,6 +82,11 @@ You are correctly redirected to your IdP login page and you are able to enter yo
   * Check the Rancher debug log.
   * If the log displays `ERROR: either the Response or Assertion must be signed`, make sure either `Sign Documents` or `Sign assertions` is set to `ON` in your Keycloak client.
 
+### HTTP502 when trying to access /v1-saml/keycloak/saml/metadata
+
+This is usually due to the metadata not being created until a SAML provider is configured.
+Try configuring and saving keycloak as your SAML provider and then accessing the metadata.
+
 ### Keycloak Error: "We're sorry, failed to process response"
 
   * Check your Keycloak log.