Authentication - Configuring Keycloak (SAML) - 《Rancher 2.5.7-2.5.8 Documentation》

Annex: Troubleshooting

You must have a Keycloak IdP Server configured.
In Keycloak, create a , with the settings below. See the Keycloak documentation for help.

In the new SAML client, create Mappers to expose the users fields
- Create a new “Group list” mapper to map the member attribute to a user’s groups
Export a metadata.xml file from your Keycloak client: From the tab, choose the SAML Metadata IDPSSODescriptor format option and download your file.

From the Global view, select Security > Authentication from the main menu.
Select Keycloak.

Complete the Configure Keycloak Account form.

Field	Description
Display Name Field	The attribute that contains the display name of users. Example: `givenName`
User Name Field	The attribute that contains the user name/given name. Example: `email`
UID Field	An attribute that is unique to every user. Example: `email`
Groups Field	Make entries for managing group memberships. Example: `member`
Entity ID Field	The ID that needs to be configured as a client ID in the Keycloak client. Default:
Rancher API Host	The URL for your Rancher Server.
Private Key / Certificate	A key/certificate pair to create a secure shell between Rancher and your IdP.
IDP-metadata	The file that you exported from your IdP server.

After you complete the Configure Keycloak Account form, click Authenticate with Keycloak, which is at the bottom of the page.

Rancher redirects you to the IdP login page. Enter credentials that authenticate with Keycloak IdP to validate your Rancher Keycloak configuration.

Result: Rancher is configured to work with Keycloak. Your users can now sign into Rancher using their Keycloak logins.

If you are experiencing issues while testing the connection to the Keycloak server, first double-check the configuration option of your SAML client. You may also inspect the Rancher logs to help pinpointing the problem cause. Debug logs may contain more detailed information about the error. Please refer to How can I enable debug logging in this documentation.

When you click on Authenticate with Keycloak, your are not redirected to your IdP.

Verify your Keycloak client configuration.
Make sure Force Post Binding set to OFF.

You are correctly redirected to your IdP login page and you are able to enter your credentials, however you get a Forbidden message afterwards.

Check the Rancher debug log.
If the log displays ERROR: either the Response or Assertion must be signed, make sure either Sign Documents or Sign assertions is set to ON in your Keycloak client.

This is usually due to the metadata not being created until a SAML provider is configured. Try configuring and saving keycloak as your SAML provider and then accessing the metadata.

Check your Keycloak log.
If the log displays failed: org.keycloak.common.VerificationException: Client does not have a public key, set Encrypt Assertions to OFF in your Keycloak client.

Check your Keycloak log.