Auth Providers
Github
Developer Set up
Follow the in-dashboard instructions when configuring a Github auth provider.
Multiple GitHub auth configs
The auth system supports multiple GitHub auth URLs and using the appropriate one based on the Host header that a request comes in on. Configuring this is not exposed in the regular UI, but is particularly useful for development against a server that already has GitHub setup.
In management.cattle.io.authconfig
, edit the github
entry. Add a hostnameToClientId
map of Host header value -> GitHub client ID:
hostnameToClientId:
"localhost:8005": <your GitHub Client ID for localhost:8005>
In the secret
, namespace cattle-global-data
, edit githubconfig-clientsecret
. Add GitHub client ID -> base64-encoded client secret to the data
section:
data:
clientsecret: <the normal client secret already configured>
<your client id>: <your base64-encoded client secret for localhost:8005>
Keycloak
Developer Set Up (SAML)
Use the steps below to set up a Keycloak instance for dev environments and configure an Auth Provider for it.
Bring up a local Keycloak instance in docker using the instructions at here.
Ensure that the admin user has a first name, last name and email. These fields are referenced in the Keycloak client's mappers which are then referenced in the Rancher's auth provider config.
Double check the client has the correct checkboxes set, specifically the Mappers
group
entry.Using either the Ember or Vue UI set up the Keycloak auth provider by follow the instructions at here
Field Value Display Name Field givenName User Name Field email UID Field email Groups Field member Entity ID Field Depending on Rancher API Url. For instance when running Dashboard locally https://192.168.86.26:8005/v1-saml/keycloak/saml/metadata
Rancher API Host Depending on Rancher API Url. For instance when running Dashboard locally https://192.168.86.26:8005/
Private Key For key and cert files, export the Client in the Keycloak UI via the Clients
list page and extract & wrap thesaml.signing.certificate
andsaml.signing.private.key
as cert files (see step 5 for more info).Certificate See Private Key section above Metadata For the SAML Metadata, download as per Rancher docs. Be sure to follow the NOTE
instructions regardingEntitiesDescriptor
andEntityDescriptor
. For a better set of instructions see step 6
Developer Set Up (OIDC)
In Vue UI set up the Keycloak OIDC provider with the following values
Field Value Client ID Find via the keycloak console Client Secret Find via the keycloak console (client's credentials tab) Private Key (optional) Certificate (optional) Keycloak URL URL of keycloak instance (no path) Keycloak Realm Find via the keycloak console (above menu on left or in path after /realms/)
The user used when enabling the provider must be an Admin or in a group