Skip to main content

Auth Providers

Github

Developer Set up

Follow the in-dashboard instructions when configuring a Github auth provider.

Multiple GitHub auth configs

The auth system supports multiple GitHub auth URLs and using the appropriate one based on the Host header that a request comes in on. Configuring this is not exposed in the regular UI, but is particularly useful for development against a server that already has GitHub setup.

In management.cattle.io.authconfig, edit the github entry. Add a hostnameToClientId map of Host header value -> GitHub client ID:

hostnameToClientId:
"localhost:8005": <your GitHub Client ID for localhost:8005>

In the secret, namespace cattle-global-data, edit githubconfig-clientsecret. Add GitHub client ID -> base64-encoded client secret to the data section:

data:
clientsecret: <the normal client secret already configured>
<your client id>: <your base64-encoded client secret for localhost:8005>

Keycloak

Developer Set Up (SAML)

Use the steps below to set up a Keycloak instance for dev environments and configure an Auth Provider for it.

  1. Bring up a local Keycloak instance in docker using the instructions at here.

    Ensure that the admin user has a first name, last name and email. These fields are referenced in the Keycloak client's mappers which are then referenced in the Rancher's auth provider config.

    Double check the client has the correct checkboxes set, specifically the Mappers group entry.

  2. Using either the Ember or Vue UI set up the Keycloak auth provider by follow the instructions at here

    FieldValue
    Display Name FieldgivenName
    User Name Fieldemail
    UID Fieldemail
    Groups Fieldmember
    Entity ID FieldDepending on Rancher API Url. For instance when running Dashboard locally https://192.168.86.26:8005/v1-saml/keycloak/saml/metadata
    Rancher API HostDepending on Rancher API Url. For instance when running Dashboard locally https://192.168.86.26:8005/
    Private KeyFor key and cert files, export the Client in the Keycloak UI via the Clients list page and extract & wrap the saml.signing.certificate and saml.signing.private.key as cert files (see step 5 for more info).
    CertificateSee Private Key section above
    MetadataFor the SAML Metadata, download as per Rancher docs. Be sure to follow the NOTE instructions regarding EntitiesDescriptor and EntityDescriptor. For a better set of instructions see step 6

Developer Set Up (OIDC)

  1. In Vue UI set up the Keycloak OIDC provider with the following values

    FieldValue
    Client IDFind via the keycloak console
    Client SecretFind via the keycloak console (client's credentials tab)
    Private Key (optional)
    Certificate (optional)
    Keycloak URLURL of keycloak instance (no path)
    Keycloak RealmFind via the keycloak console (above menu on left or in path after /realms/)

The user used when enabling the provider must be an Admin or in a group