Configuring Keycloak (SAML) authentication fails with decoding error

[janeczku]

Rancher Server Setup

• Rancher version: 2.5.8
• Keycloak 1.11.0

Describe the bug
Configuring Keycloak (SAML) authentication fails with the following error:

Unknown error: SAML: cannot initialize saml SP, cannot decode IDP Metadata content from the config

To Reproduce

Follow the documentation to configure Keycloak as authentication provider:

https://rancher.com/docs/rancher/v2.5/en/admin-settings/authentication/keycloak/

Result

When clicking on "Authenticate with Keycloak" after having completed the configuration an error is thrown in the UI and Rancher server logs. See below for full log.

Newer versions of Keycloak generate IDPSSO Metadata XML that defines different namespaces (e.g. md or ds) which Rancher appears not being able to parse.

Applying the documented workaround of removing EntitiesDescriptor does not fix the issue.

Example Metadata:

<md:EntityDescriptor Name="urn:keycloak" entityID="https://dims.toolbox.gdis-np.aws.signintra.net/auth/realms/dims">
<md:IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo>
....

Results in this error:

error expected element <EntityDescriptor> in name space urn:oasis:names:tc:SAML:2.0:metadata but have md

Expected Result

Authentication should be successfully enabled. Valid XML should not result in parsing failure.

Screenshots

Additional context

Rancher Server Log:

rancher-log.txt

SURE-3187

[maxsokolovsky]

@janeczku, what version of Keycloak did you use? I am not sure to what v1.11.0 refers.

[maxsokolovsky]

Reproduced in Rancher v2.5.12 and Keycloak v16.1.1. Observing exactly the same behavior that @janeczku describes.

[maxsokolovsky]

Spoke with @ryansann, we found that the Rancher docs need to be updated.
Starting with Keycloak v6 and later, we must get the IDP metadata via a URL. The Keycloak server then presents the metadata as an XML document.

The problem is that the metadata does not define additional attributes that are used in other elements in the document, nor do we mention them in the docs:

xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"

For Rancher to parse the metadata, the XML document must include the attributes in the first element - EntityDescriptor, like this:

<md:EntityDescriptor entityID="https://157.245.217.6:8443/auth/realms/myrealm"
    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" 
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" 
    xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

We should update the documentation and mention the need for these three attributes. Just above this section where the docs mention edits to the metadata file:
https://rancher.com/docs/rancher/v2.5/en/admin-settings/authentication/keycloak/#configuring-keycloak-in-rancher

[samjustus]

@sirredbeard FYI this will be coming your way soon, Max just needs to clarify a few things around versions

[maxsokolovsky]

Ran the scenario with Keycloak v13.

In the docs, we need different sections per version group for obtaining IDP metadata - depending on the version of Keycloak used.

v0-6: you get the metadata in the Keycloak UI.

v6-13: you get the metadata via Keycloak endpoint, you would need to remove the outer wrapper object EntitiesDescriptor.

v14+: you get the metadata via Keycloak endpoint, no need to remove the wrapper object, so make sure the top-level object is EntityDescriptor.

In any case, ensure the top-level object's EntityDescriptor metadata has the 3 namespace attributes:

xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" 
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" 
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"

If you fetch the IDP metadata endpoint with Firefox, note that it modifies the XML, so you may not have the attributes. Consider copying the XML document from the raw response found in the Network tab.

[sirredbeard]

Is this ready for docs?

[maxsokolovsky]

@sirredbeard, we are waiting for confirmation that this can be resolved by a docs change. If yes, then the comment above can be used as the docs update itself (with minor edits if needed).

[sirredbeard]

Let me know when it's confirmed and I'll move this into rancher/docs and we'll get it in the queue. Thank you.

[samjustus]

@janeczku please confirm if the doc change will cover this

[janeczku]

I would really prefer we fix the actual bug rather than updating the docs with yet more workarounds.

[sirredbeard]

Release note this for 2.6.4 and fix in 2.6.5?

[janeczku]

As an interim solution the doc fix seems sound. I just want to prevent us from closing this ticket without fixing the underlying issue in the code. @sirredbeard

[maxsokolovsky]

@ryansann, do you think the fix is on us or Keycloak? We could, in principle, process the XML in such a way as to include those missing attribute definitions (and probably for any version of Keycloak).

[maxsokolovsky]

@ryansann and I verified that the Keycloak returns proper XML with all the IDP info for all versions. The problem is how some browsers display it. We need to mention in the docs that some browsers (Firefox, in particular) may render/process the document such that the contents appear to have been modified, and some attributes appear to be missing. Users should ideally copy the raw response and use it. There is nothing to fix on our part.

[samjustus]

@janeczku ^ we have determined that there is no underlying issue in the code to resolve
@sirredbeard no pending fix