You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-oidc.md
description: Create a Keycloak OpenID Connect (OIDC) client and configure Rancher to work with Keycloak. By the end your users will be able to sign into Rancher using their Keycloak logins
@@ -17,62 +17,102 @@ If you have an existing configuration using the SAML protocol and want to switch
17
17
18
18
- On Rancher, Keycloak (SAML) is disabled.
19
19
- You must have a [Keycloak IdP Server](https://www.keycloak.org/guides#getting-started) configured.
20
-
-In Keycloak, create a [new OIDC client](https://www.keycloak.org/docs/latest/server_admin/#oidc-clients), with the settings below. See the [Keycloak documentation](https://www.keycloak.org/docs/latest/server_admin/#oidc-clients) for help.
20
+
-Follow the [Keycloak documentation](https://www.keycloak.org/docs/latest/server_admin/#proc-creating-oidc-client_server_administration_guide) to create a new OIDC client with the settings below.
- In the new OIDC client, create [Mappers](https://www.keycloak.org/docs/latest/server_admin/#_protocol-mappers) to expose the users fields.
31
-
- Create a new "Groups Mapper" with the settings below.
32
-
33
-
Setting | Value
34
-
------------|------------
35
-
`Name` | `Groups Mapper`
36
-
`Mapper Type` | `Group Membership`
37
-
`Token Claim Name` | `groups`
38
-
`Full group path` | `OFF`
39
-
`Add to ID token` | `OFF`
40
-
`Add to access token` | `OFF`
41
-
`Add to user info` | `ON`
42
-
43
-
- Create a new "Client Audience" with the settings below.
44
-
45
-
Setting | Value
46
-
------------|------------
47
-
`Name` | `Client Audience`
48
-
`Mapper Type` | `Audience`
49
-
`Included Client Audience` | <CLIENT_NAME>
50
-
`Add to ID token` | `OFF`
51
-
`Add to access token` | `ON`
52
-
53
-
- Create a new "Groups Path" with the settings below.
54
-
55
-
Setting | Value
56
-
------------|------------
57
-
`Name` | `Group Path`
58
-
`Mapper Type` | `Group Membership`
59
-
`Token Claim Name` | `full_group_path`
60
-
`Full group path` | `ON`
61
-
`Add to ID token` | `ON`
62
-
`Add to access token` | `ON`
63
-
`Add to user info` | `ON`
64
-
65
-
- Go to **Role Mappings > Client Roles > realm-management** and add the following Role Mappings to all users or groups that need to query the Keycloak users.
66
-
- query-users
67
-
- query-groups
68
-
- view-users
31
+
1. In the navigation menu, click **Clients**.
32
+
1. Click the **Clients list** tab.
33
+
1. Find and click the client you created.
34
+
1. Click the **Client scopes** tab.
35
+
1. Find and click the link labeled `<client-name>-dedicated`. For example, if you named your client `rancher`, look for the link named `rancher-dedicated`.
36
+
1. Click the **Mappers** tab.
37
+
1. Click **Configure a new mapper**. If you already have existing mappers configured, click the arrow next to **Add mapper** and select **By configuration**. Repeat this process and create these mappers:
38
+
- From the mappings table, select **Group Membership** and configure a new "Groups Mapper" with the settings below. For settings that are not mentioned, use the default value.
39
+
40
+
| Setting | Value |
41
+
| ------------|------------|
42
+
|`Name`|`Groups Mapper`|
43
+
|`Mapper Type`|`Group Membership`|
44
+
|`Token Claim Name`|`groups`|
45
+
|`Full group path`|`OFF`|
46
+
|`Add to ID token`|`OFF`|
47
+
|`Add to access token`|`OFF`|
48
+
|`Add to user info`|`ON`|
49
+
50
+
- From the mappings table, select **Audience** and configure a new "Client Audience" with the settings below. For settings that are not mentioned, use the default value.
51
+
52
+
| Setting | Value |
53
+
| ------------|------------|
54
+
|`Name`|`Client Audience`|
55
+
|`Mapper Type`|`Audience`|
56
+
|`Included Client Audience`|<client-name> |
57
+
|`Add to ID token`|`OFF`|
58
+
|`Add to access token`|`ON`|
59
+
60
+
- From the mappings table, select **Group Membership** and configure a new "Groups Path" with the settings below. For settings that are not mentioned, use the default value.
61
+
62
+
| Setting | Value |
63
+
| ------------|------------|
64
+
|`Name`|`Group Path`|
65
+
|`Mapper Type`|`Group Membership`|
66
+
|`Token Claim Name`|`full_group_path`|
67
+
|`Full group path`|`ON`|
68
+
|`Add to ID token`|`ON`|
69
+
|`Add to access token`|`ON`|
70
+
|`Add to user info`|`ON`|
71
+
72
+
- Add the following role mappings to all users or groups that need to query the Keycloak users.
73
+
74
+
<Tabs>
75
+
<TabItemvalue="Users">
76
+
77
+
1. In the navigation menu, click **Users**.
78
+
1. Click the user you want to add role mappings to.
79
+
1. Click the **Role mapping** tab.
80
+
1. Click **Assign role**.
81
+
1. Select the following roles:
82
+
- query-users
83
+
- query-groups
84
+
- view-users
85
+
1. Click **Assign**.
86
+
87
+
</TabItem>
88
+
<TabItemvalue="Groups">
89
+
90
+
1. In the navigation menu, click **Groups**.
91
+
1. Click the group you want to add role mappings to.
92
+
1. Click the **Role mapping** tab.
93
+
1. Click **Assign role**.
94
+
1. Select the following roles:
95
+
- query-users
96
+
- query-groups
97
+
- view-users
98
+
1. Click **Assign**.
99
+
100
+
</TabItem>
101
+
</Tabs>
69
102
70
103
## Configuring Keycloak in Rancher
71
104
72
105
1. In the Rancher UI, click **☰ > Users & Authentication**.
73
106
1. In the left navigation bar, click **Auth Provider**.
74
107
1. Select **Keycloak (OIDC)**.
75
108
1. Complete the **Configure a Keycloak OIDC account** form. For help with filling the form, see the [configuration reference](#configuration-reference).
109
+
110
+
:::note
111
+
112
+
When configuring the **Endpoints** section using the **Generate** option, Rancher includes `/auth` as part of the context path in the **Issuer** and **Auth Endpoint** fields, which is only valid for Keycloak 16 or older. You must configure endpoints using the **Specify** option for [Keycloak 17](https://www.keycloak.org/docs/latest/release_notes/index.html#keycloak-17-0-0) and newer, which have [migrated to Quarkus](https://www.keycloak.org/migration/migrating-to-quarkus).
113
+
114
+
:::
115
+
76
116
1. After you complete the **Configure a Keycloak OIDC account** form, click **Enable**.
77
117
78
118
Rancher redirects you to the IdP login page. Enter credentials that authenticate with Keycloak IdP to validate your Rancher Keycloak configuration.
@@ -83,7 +123,7 @@ If you have an existing configuration using the SAML protocol and want to switch
83
123
84
124
:::
85
125
86
-
**Result:** Rancher is configured to work with Keycloak using the OIDC protocol. Your users can now sign into Rancher using their Keycloak logins.
126
+
**Result:** Rancher is configured to work with Keycloak using the OIDC protocol. Your users can now sign in to Rancher using their Keycloak logins.
87
127
88
128
## Configuration Reference
89
129
@@ -103,59 +143,41 @@ If you have an existing configuration using the SAML protocol and want to switch
103
143
104
144
This section describes the process to transition from using Rancher with Keycloak (SAML) to Keycloak (OIDC).
105
145
106
-
### Reconfigure Keycloak
107
-
108
-
1. Change the existing client to use the OIDC protocol. In the Keycloak console, select **Clients**, select the SAML client to migrate, select the **Settings** tab, change `Client Protocol` from `saml` to `openid-connect`, and click **Save**
109
-
110
-
1. Verify the `Valid Redirect URIs` are still valid.
111
-
112
-
1. Select the **Mappers** tab and create a new Mapper with the settings below.
146
+
1. Reconfigure Keycloak.
147
+
1. Configure a new `OpenID Connect` client according to the [Prerequisites](#prerequisites). Ensure the same `Valid Redirect URIs` are set.
148
+
1. Configure mappers for the new client according to the [Prerequisites](#prerequisites).
149
+
1. Before configuring Rancher to use Keycloak (OIDC), Keycloak (SAML) must be first disabled.
150
+
1. In the Rancher UI, click **☰ > Users & Authentication**.
151
+
1. In the left navigation bar, click **Auth Provider**.
152
+
1. Select **Keycloak (SAML)**.
153
+
1. Click **Disable**.
154
+
1. Follow the steps in [Configuring Keycloak in Rancher](#configuring-keycloak-in-rancher).
113
155
114
-
Setting | Value
115
-
------------|------------
116
-
`Name` | `Groups Mapper`
117
-
`Mapper Type` | `Group Membership`
118
-
`Token Claim Name` | `groups`
119
-
`Add to ID token` | `ON`
120
-
`Add to access token` | `ON`
121
-
`Add to user info` | `ON`
156
+
:::caution
122
157
123
-
### Reconfigure Rancher
124
-
125
-
Before configuring Rancher to use Keycloak (OIDC), Keycloak (SAML) must be first disabled.
126
-
127
-
1. In the Rancher UI, click **☰ > Users & Authentication**.
128
-
1. In the left navigation bar, click **Auth Provider**.
129
-
1. Select **Keycloak (SAML)**.
130
-
1. Click **Disable**.
131
-
132
-
Configure Rancher to use Keycloak (OIDC) by following the steps in [this section](#configuring-keycloak-in-rancher).
133
-
134
-
:::note
135
-
136
-
After configuration is completed, Rancher user permissions will need to be reapplied as they are not automatically migrated.
158
+
After configuration is completed, Rancher user permissions need to be reapplied as they are not automatically migrated.
137
159
138
160
:::
139
161
140
162
## Annex: Troubleshooting
141
163
142
164
If you are experiencing issues while testing the connection to the Keycloak server, first double-check the configuration options of your OIDC client. You may also inspect the Rancher logs to help pinpoint what's causing issues. Debug logs may contain more detailed information about the error. Please refer to [How can I enable debug logging](../../../../faq/technical-items.md#how-can-i-enable-debug-logging) in this documentation.
143
165
144
-
All Keycloak related log entries will be prepended with either `[generic oidc]` or `[keycloak oidc]`.
166
+
All Keycloak related log entries are prepended with either `[generic oidc]` or `[keycloak oidc]`.
145
167
146
168
### You are not redirected to Keycloak
147
169
148
-
When you fill the **Configure a Keycloak OIDC account** form and click on **Enable**, you are not redirected to your IdP.
170
+
When you fill the **Configure a Keycloak OIDC account** form and click **Enable**, you are not redirected to your IdP.
149
171
150
-
*Verify your Keycloak client configuration.
172
+
Verify your Keycloak client configuration.
151
173
152
174
### The generated `Issuer` and `Auth Endpoint` are incorrect
153
175
154
-
*On the **Configure a Keycloak OIDC account** form, change **Endpoints** to `Specify (advanced)` and override the `Issuer` and `Auth Endpoint` values. To find the values, go to the Keycloak console and select **Realm Settings**, select the **General** tab, and click **OpenID Endpoint Configuration**. The JSON output will display values for `issuer` and `authorization_endpoint`.
176
+
On the **Configure a Keycloak OIDC account** form, change **Endpoints** to `Specify (advanced)` and override the `Issuer` and `Auth Endpoint` values. To find the values, go to the Keycloak console and select **Realm Settings**, select the **General** tab, and click **OpenID Endpoint Configuration**. The JSON output displays values for `issuer` and `authorization_endpoint`.
155
177
156
178
### Keycloak Error: "Invalid grant_type"
157
179
158
-
*In some cases, this error message may be misleading and is actually caused by setting the `Valid Redirect URI` incorrectly.
180
+
In some cases, this error message may be misleading and is caused by setting the `Valid Redirect URI` incorrectly.
159
181
160
182
### Unable to See Groups When Assigning Global Roles
161
183
@@ -172,4 +194,3 @@ To resolve this, you can either:
172
194
3. Save your changes.
173
195
174
196
2. Reconfigure your Keycloak OIDC setup using a user that is assigned to at least one group in Keycloak.
0 commit comments