From b1bdb91a26e5b7aa9bb8bbeb3103238c0ebe7e9e Mon Sep 17 00:00:00 2001 From: Billy Tat Date: Fri, 25 Jun 2021 14:27:03 -0700 Subject: [PATCH] Address feedback. Also fix table formatting --- .../authentication/keycloak/_index.md | 40 ++++++++++--------- .../authentication/keycloak-oidc/_index.md | 38 +++++++++--------- .../authentication/keycloak-saml/_index.md | 38 +++++++++--------- 3 files changed, 59 insertions(+), 57 deletions(-) diff --git a/content/rancher/v2.5/en/admin-settings/authentication/keycloak/_index.md b/content/rancher/v2.5/en/admin-settings/authentication/keycloak/_index.md index 2498376139a..b4cde268217 100644 --- a/content/rancher/v2.5/en/admin-settings/authentication/keycloak/_index.md +++ b/content/rancher/v2.5/en/admin-settings/authentication/keycloak/_index.md @@ -61,24 +61,7 @@ If your organization uses Keycloak Identity Provider (IdP) for user authenticati 1. Select **Keycloak**. -1. Complete the **Configure Keycloak Account** form. - - - | Field | Description | - | ------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------- | - | Display Name Field | The attribute that contains the display name of users.

Example: `givenName` | - | User Name Field | The attribute that contains the user name/given name.

Example: `email` | - | UID Field | An attribute that is unique to every user.

Example: `email` | - | Groups Field | Make entries for managing group memberships.

Example: `member` | - | Entity ID Field | The ID that needs to be configured as a client ID in the Keycloak client.

Default: `https://yourRancherHostURL/v1-saml/keycloak/saml/metadata` | - | Rancher API Host | The URL for your Rancher Server. | - | Private Key / Certificate | A key/certificate pair to create a secure shell between Rancher and your IdP. | - | IDP-metadata | The `metadata.xml` file that you exported from your IdP server. | - - >**Tip:** You can generate a key/certificate pair using an openssl command. For example: - > - > openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout myservice.key -out myservice.cert - +1. Complete the **Configure Keycloak Account** form. For help with filling the form, see the [configuration reference](#configuration-reference). 1. After you complete the **Configure Keycloak Account** form, click **Authenticate with Keycloak**, which is at the bottom of the page. @@ -90,13 +73,32 @@ If your organization uses Keycloak Identity Provider (IdP) for user authenticati {{< saml_caveats >}} +## Configuration Reference + + +| Field | Description | +| ------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Display Name Field | The attribute that contains the display name of users.

Example: `givenName` | +| User Name Field | The attribute that contains the user name/given name.

Example: `email` | +| UID Field | An attribute that is unique to every user.

Example: `email` | +| Groups Field | Make entries for managing group memberships.

Example: `member` | +| Entity ID Field | The ID that needs to be configured as a client ID in the Keycloak client.

Default: `https://yourRancherHostURL/v1-saml/keycloak/saml/metadata` | +| Rancher API Host | The URL for your Rancher Server. | +| Private Key / Certificate | A key/certificate pair to create a secure shell between Rancher and your IdP. | +| IDP-metadata | The `metadata.xml` file that you exported from your IdP server. | + +>**Tip:** You can generate a key/certificate pair using an openssl command. For example: +> +> openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout myservice.key -out myservice.cert + + ## Annex: Troubleshooting If you are experiencing issues while testing the connection to the Keycloak server, first double-check the configuration option of your SAML client. You may also inspect the Rancher logs to help pinpointing the problem cause. Debug logs may contain more detailed information about the error. Please refer to [How can I enable debug logging]({{}}/rancher/v2.5/en/faq/technical/#how-can-i-enable-debug-logging) in this documentation. ### You are not redirected to Keycloak -When you click on **Authenticate with Keycloak**, your are not redirected to your IdP. +When you click on **Authenticate with Keycloak**, you are not redirected to your IdP. * Verify your Keycloak client configuration. * Make sure `Force Post Binding` set to `OFF`. diff --git a/content/rancher/v2.6/en/admin-settings/authentication/keycloak-oidc/_index.md b/content/rancher/v2.6/en/admin-settings/authentication/keycloak-oidc/_index.md index 921bfa858a0..06edfe51c65 100644 --- a/content/rancher/v2.6/en/admin-settings/authentication/keycloak-oidc/_index.md +++ b/content/rancher/v2.6/en/admin-settings/authentication/keycloak-oidc/_index.md @@ -23,7 +23,7 @@ If you have an existing configuration using the SAML protocol and want to switch `Access Type` | `confidential` `Valid Redirect URI` | `https://yourRancherHostURL/verify-auth` -- In the new OIDC client, create [Mappers](https://www.keycloak.org/docs/latest/server_admin/#_protocol-mappers) to expose the users fields +- In the new OIDC client, create [Mappers](https://www.keycloak.org/docs/latest/server_admin/#_protocol-mappers) to expose the users fields. - Create a new "Groups Mapper" with the settings below. Setting | Value @@ -43,21 +43,7 @@ If you have an existing configuration using the SAML protocol and want to switch 1. Select **Keycloak (OIDC)**. -1. Complete the **Configure a Keycloak OIDC account** form. - - - | Field | Description | - | ------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------- | - | Client ID | The `Client ID` of your Keycloak client. | - | Client Secret | The generated `Secret` of your Keycloak client. In the Keycloak console, select **Clients**, select the client you created, select the **Credentials** tab and copy the value of the `Secret` field. | - | Private Key / Certificate | A key/certificate pair to create a secure shell between Rancher and your IdP. Required if HTTPS/SSL is enabled on your Keycloak server. | - | Endpoints | Choose whether to use the generated values for the `Rancher URL`, `Issue`, and `Auth Endpoint` fields or to provide manual overrides if incorrect. | - | Keycloak URL | The URL for your Keycloak server. | - | Keycloak Realm | The name of the realm in which the Keycloak client was created in. | - | Rancher URL | The URL for your Rancher Server. | - | Issuer | The URL of your IdP. - | Auth Endpoint | The URL where users are redirected to authenticate. - +1. Complete the **Configure a Keycloak OIDC account** form. For help with filling the form, see the [configuration reference](#configuration-reference). 1. After you complete the **Configure a Keycloak OIDC account** form, click **Enable**. @@ -67,11 +53,25 @@ If you have an existing configuration using the SAML protocol and want to switch **Result:** Rancher is configured to work with Keycloak using the OIDC protocol. Your users can now sign into Rancher using their Keycloak logins. +## Configuration Reference + +| Field | Description | +| ------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Client ID | The `Client ID` of your Keycloak client. | +| Client Secret | The generated `Secret` of your Keycloak client. In the Keycloak console, select **Clients**, select the client you created, select the **Credentials** tab and copy the value of the `Secret` field. | +| Private Key / Certificate | A key/certificate pair to create a secure shell between Rancher and your IdP. Required if HTTPS/SSL is enabled on your Keycloak server. | +| Endpoints | Choose whether to use the generated values for the `Rancher URL`, `Issue`, and `Auth Endpoint` fields or to provide manual overrides if incorrect. | +| Keycloak URL | The URL for your Keycloak server. | +| Keycloak Realm | The name of the realm in which the Keycloak client was created in. | +| Rancher URL | The URL for your Rancher Server. | +| Issuer | The URL of your IdP. | +| Auth Endpoint | The URL where users are redirected to authenticate. | + ## Migrating from SAML to OIDC This section describes the process to transition from using Rancher with Keycloak (SAML) to Keycloak (OIDC). -### Changes to Keycloak +### Reconfigure Keycloak 1. Change the existing client to use the OIDC protocol. In the Keycloak console, select **Clients**, select the SAML client to migrate, select the **Settings** tab, change `Client Protocol` from `saml` to `openid-connect`, and click **Save** @@ -88,7 +88,7 @@ This section describes the process to transition from using Rancher with Keycloa `Add to access token` | `ON` `Add to user info` | `ON` -### Changes to Rancher +### Reconfigure Rancher Before configuring Rancher to use Keycloak (OIDC), Keycloak (SAML) must be first disabled. @@ -110,7 +110,7 @@ All Keycloak related log entries will be prepended with either `[generic oidc]` ### You are not redirected to Keycloak -When you fill the **Configure a Keycloak OIDC account** form and click on **Enable**, your are not redirected to your IdP. +When you fill the **Configure a Keycloak OIDC account** form and click on **Enable**, you are not redirected to your IdP. * Verify your Keycloak client configuration. diff --git a/content/rancher/v2.6/en/admin-settings/authentication/keycloak-saml/_index.md b/content/rancher/v2.6/en/admin-settings/authentication/keycloak-saml/_index.md index dbe665b1605..0307746167e 100644 --- a/content/rancher/v2.6/en/admin-settings/authentication/keycloak-saml/_index.md +++ b/content/rancher/v2.6/en/admin-settings/authentication/keycloak-saml/_index.md @@ -61,24 +61,7 @@ If your organization uses Keycloak Identity Provider (IdP) for user authenticati 1. Select **Keycloak**. -1. Complete the **Configure Keycloak Account** form. - - - | Field | Description | - | ------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------- | - | Display Name Field | The attribute that contains the display name of users.

Example: `givenName` | - | User Name Field | The attribute that contains the user name/given name.

Example: `email` | - | UID Field | An attribute that is unique to every user.

Example: `email` | - | Groups Field | Make entries for managing group memberships.

Example: `member` | - | Entity ID Field | The ID that needs to be configured as a client ID in the Keycloak client.

Default: `https://yourRancherHostURL/v1-saml/keycloak/saml/metadata` | - | Rancher API Host | The URL for your Rancher Server. | - | Private Key / Certificate | A key/certificate pair to create a secure shell between Rancher and your IdP. | - | IDP-metadata | The `metadata.xml` file that you exported from your IdP server. | - - >**Tip:** You can generate a key/certificate pair using an openssl command. For example: - > - > openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout myservice.key -out myservice.cert - +1. Complete the **Configure Keycloak Account** form. For help with filling the form, see the [configuration reference](#configuration-reference). 1. After you complete the **Configure Keycloak Account** form, click **Authenticate with Keycloak**, which is at the bottom of the page. @@ -90,13 +73,30 @@ If your organization uses Keycloak Identity Provider (IdP) for user authenticati {{< saml_caveats >}} +## Configuration Reference + +| Field | Description | +| ------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Display Name Field | The attribute that contains the display name of users.

Example: `givenName` | +| User Name Field | The attribute that contains the user name/given name.

Example: `email` | +| UID Field | An attribute that is unique to every user.

Example: `email` | +| Groups Field | Make entries for managing group memberships.

Example: `member` | +| Entity ID Field | The ID that needs to be configured as a client ID in the Keycloak client.

Default: `https://yourRancherHostURL/v1-saml/keycloak/saml/metadata` | +| Rancher API Host | The URL for your Rancher Server. | +| Private Key / Certificate | A key/certificate pair to create a secure shell between Rancher and your IdP. | +| IDP-metadata | The `metadata.xml` file that you exported from your IdP server. | + +>**Tip:** You can generate a key/certificate pair using an openssl command. For example: +> +> openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout myservice.key -out myservice.cert + ## Annex: Troubleshooting If you are experiencing issues while testing the connection to the Keycloak server, first double-check the configuration option of your SAML client. You may also inspect the Rancher logs to help pinpointing the problem cause. Debug logs may contain more detailed information about the error. Please refer to [How can I enable debug logging]({{}}/rancher/v2.6/en/faq/technical/#how-can-i-enable-debug-logging) in this documentation. ### You are not redirected to Keycloak -When you click on **Authenticate with Keycloak**, your are not redirected to your IdP. +When you click on **Authenticate with Keycloak**, you are not redirected to your IdP. * Verify your Keycloak client configuration. * Make sure `Force Post Binding` set to `OFF`.