-
Notifications
You must be signed in to change notification settings - Fork 2.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Configuring Keycloak (SAML) authentication fails with decoding error #33709
Comments
@janeczku, what version of Keycloak did you use? I am not sure to what |
Reproduced in Rancher v2.5.12 and Keycloak v16.1.1. Observing exactly the same behavior that @janeczku describes. |
Spoke with @ryansann, we found that the Rancher docs need to be updated. The problem is that the metadata does not define additional attributes that are used in other elements in the document, nor do we mention them in the docs:
For Rancher to parse the metadata, the XML document must include the attributes in the first element -
We should update the documentation and mention the need for these three attributes. Just above this section where the docs mention edits to the metadata file: |
@sirredbeard FYI this will be coming your way soon, Max just needs to clarify a few things around versions |
Ran the scenario with Keycloak v13. In the docs, we need different sections per version group for obtaining IDP metadata - depending on the version of Keycloak used. v0-6: you get the metadata in the Keycloak UI. v6-13: you get the metadata via Keycloak endpoint, you would need to remove the outer wrapper object v14+: you get the metadata via Keycloak endpoint, no need to remove the wrapper object, so make sure the top-level object is In any case, ensure the top-level object's
If you fetch the IDP metadata endpoint with Firefox, note that it modifies the XML, so you may not have the attributes. Consider copying the XML document from the raw response found in the Network tab. |
Is this ready for docs? |
@sirredbeard, we are waiting for confirmation that this can be resolved by a docs change. If yes, then the comment above can be used as the docs update itself (with minor edits if needed). |
Let me know when it's confirmed and I'll move this into rancher/docs and we'll get it in the queue. Thank you. |
@janeczku please confirm if the doc change will cover this |
I would really prefer we fix the actual bug rather than updating the docs with yet more workarounds. |
Release note this for 2.6.4 and fix in 2.6.5? |
As an interim solution the doc fix seems sound. I just want to prevent us from closing this ticket without fixing the underlying issue in the code. @sirredbeard |
@ryansann, do you think the fix is on us or Keycloak? We could, in principle, process the XML in such a way as to include those missing attribute definitions (and probably for any version of Keycloak). |
@ryansann and I verified that the Keycloak returns proper XML with all the IDP info for all versions. The problem is how some browsers display it. We need to mention in the docs that some browsers (Firefox, in particular) may render/process the document such that the contents appear to have been modified, and some attributes appear to be missing. Users should ideally copy the raw response and use it. There is nothing to fix on our part. |
@janeczku ^ we have determined that there is no underlying issue in the code to resolve |
Rancher Server Setup
Describe the bug
Configuring Keycloak (SAML) authentication fails with the following error:
To Reproduce
Follow the documentation to configure Keycloak as authentication provider:
https://rancher.com/docs/rancher/v2.5/en/admin-settings/authentication/keycloak/
Result
When clicking on "Authenticate with Keycloak" after having completed the configuration an error is thrown in the UI and Rancher server logs. See below for full log.
Newer versions of Keycloak generate IDPSSO Metadata XML that defines different namespaces (e.g.
md
ords
) which Rancher appears not being able to parse.Applying the documented workaround of removing
EntitiesDescriptor
does not fix the issue.Example Metadata:
Results in this error:
Expected Result
Authentication should be successfully enabled. Valid XML should not result in parsing failure.
Screenshots
Additional context
Rancher Server Log:
rancher-log.txt
SURE-3187
The text was updated successfully, but these errors were encountered: