From a7195c38b4a0b5032869f5083e4a65a397ea93b3 Mon Sep 17 00:00:00 2001 From: Sunil Singh Date: Tue, 11 Jun 2024 09:36:52 -0700 Subject: [PATCH] Initial draft, basic outline of SLO configuration through Rancher UI in Okta SAML page. Updating to other SAML pages currently after UX PR was finalized. Signed-off-by: Sunil Singh --- .../configure-keycloak-saml.md | 2 ++ .../authentication-config/configure-okta-saml.md | 16 ++++++++++++++-- .../configure-pingidentity.md | 2 ++ 3 files changed, 18 insertions(+), 2 deletions(-) diff --git a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-saml.md b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-saml.md index 4e3d9c2713c..0aebd63ad67 100644 --- a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-saml.md +++ b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-saml.md @@ -192,3 +192,5 @@ Try configuring and saving keycloak as your SAML provider and then accessing the * Check your Keycloak log. * If the log displays `request validation failed: org.keycloak.common.VerificationException: SigAlg was null`, set `Client Signature Required` to `OFF` in your Keycloak client. + +## Configuring SAML Single Logout (SLO) diff --git a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml.md b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml.md index d53a871ad0b..2d22a751d2b 100644 --- a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml.md +++ b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml.md @@ -51,7 +51,6 @@ You can integrate Okta with Rancher, so that authenticated users can access Ranc ::: - 1. After you complete the **Configure Okta Account** form, click **Enable**. Rancher redirects you to the IdP login page. Enter credentials that authenticate with Okta IdP to validate your Rancher Okta configuration. @@ -108,4 +107,17 @@ The OpenLDAP service account is used for all searches. Rancher users will see us 1. Click **Okta** or, if SAML is already configured, **Edit Config** 1. Under **User and Group Search**, check **Configure an OpenLDAP server** -If you experience issues when you test the connection to the OpenLDAP server, ensure that you entered the credentials for the service account and configured the search base correctly. Inspecting the Rancher logs can help pinpoint the root cause. Debug logs may contain more detailed information about the error. Please refer to [How can I enable debug logging](../../../../faq/technical-items.md#how-can-i-enable-debug-logging) for more information. \ No newline at end of file +If you experience issues when you test the connection to the OpenLDAP server, ensure that you entered the credentials for the service account and configured the search base correctly. Inspecting the Rancher logs can help pinpoint the root cause. Debug logs may contain more detailed information about the error. Please refer to [How can I enable debug logging](../../../../faq/technical-items.md#how-can-i-enable-debug-logging) for more information. + +## Configuring SAML Single Logout (SLO) + +1. Sign into Rancher using a local user assigned the [administrator](https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/manage-role-based-access-control-rbac/global-permissions) role (i.e., the _local principal_). +1. In the top left corner, click **☰ > Users & Authentication**. +1. In the left navigation menu, click **Auth Provider**. +1. Under the section **Configure Single Logout (SLO)**, choose the appropriate SLO setting as described below: + + | Setting | Description | + | ------------------------- | ----------------------------------------------------------------------------- | + | Only log out of Rancher | Choosing this option will only logout the Rancher application and not external authentication providers. | + | Log out of Okta (including Rancher and all other application registered with the provider) | Choosing this option will logout Rancher and external authentication providers along with any registered application linked to the provider. | + | Allow the user to choose in an extra step | Choosing this option presents users with a choice of logout method as described above. | diff --git a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity.md b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity.md index e45d179881e..db418a7f9d7 100644 --- a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity.md +++ b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity.md @@ -64,3 +64,5 @@ Note that these URLs will not return valid data until the authentication configu - The group drop-down shows only the groups that you are a member of. You will not be able to add groups that you are not a member of. ::: + +## Configuring SAML Single Logout (SLO)