Skip to content

Instantly share code, notes, and snippets.

@robinbraemer

robinbraemer/rancher saml with zitadel.md

Created September 18, 2024 10:02
Show Gist options
  • Save robinbraemer/4e68edecd4e8866642e9bc80b3f376e3 to your computer and use it in GitHub Desktop.
Save robinbraemer/4e68edecd4e8866642e9bc80b3f376e3 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
rancher saml with zitadel.md

Guide: Using Zitadel SAML as Rancher IdP via Keycloak SAML Auth Provider

As an admin I want to allow users to SSO to Rancher via Zitadel as the central identity auth provider.

Since Rancher has no Zitadel or generic OIDC or SAML auth provider, our trick is to use Keycloak SAML, but connect it to Zitadel.

Create SAML App in Zitadel

  1. Download Rancher's SAML Metadata XML from https://RANCHERHOST/v1-saml/keycloak/saml/metadata
  2. Load it into the Zitadel SAML App as XML file. (may need to add .xml to file)

Rancher Metadata XML

Configuring Keycloak SAML Auth Provider in Rancher

  1. Create Keycloak SAML auth provider in Rancher and enter Zitadel's field names as in the screenshot below.

  2. Download Zitadel SAML Metadata from https://ZITADELHOST/saml/v2/metadata

  3. Load that into Rancher Metadata XML field

  4. Download the Certificate from Zitadel from http://ZITADELHOST/saml/v2/certificate

  5. Load that into the Rancher Certificate field

  6. For the Private Key, follow the Rancher Docs, you can simply generate a key by running:

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout myservice.key -out myservice.cert

Generate Private Key

  1. Load the myservice.key into the Rancher's Private Key field.

It should look like this in the end:

  • Note that UID Field I wanted to use Zitadel's UserID, but it could be Email as well.
  • Note there is no Groups field in Zitadel's SAMLResponse but it works nevertheless. If you need to add the user to Rancher groups see notes below.

Rancher Configuration

  1. Click enable in Rancher, and we are done. We see the auth provider is active:

Auth Provider Active

  1. Logout, and we should see that we can now also login via our Keycloak provider, which is actually redirecting to our Zitadel SAML app:

Login via Keycloak

  1. We see our Zitadel user now in the top right corner of our Rancher profile:

Zitadel User in Rancher

  1. Rancher logs will update the rancher user resource's principalIds to include keycloak_user://265306122980819188, where the id is the same as the Zitadel user id:

Rancher User Resource

Principal IDs

Rancher User

Notes about SAML Groups

Waring: In my testing it didn't work yet, I need to dig deeper into how Rancher groups work in their docs.

There is no Groups field in Zitadel's SAMLResponse but it works nevertheless. If you need to add the user to Rancher groups you can create an action to add it.

function setCustomAttribute(ctx, api){
    api.v1.attributes.setCustomAttribute('Groups', '', 'settings-manage')
}

image

Creating a New User

Any user that can register and login via Zitadel is able to login to Rancher by default. Zitadel Rancher SAML App can be restricted to only certain Zitadel Users that have project/app access.

Rancher log when signin into as a new Zitadel user first time:

2024/05/02 10:26:23 [INFO] Creating user for principal keycloak_user://265329911630135303
2024/05/02 10:26:23 [INFO] Creating globalRoleBindings for u-r3tnxufjdy
2024/05/02 10:26:23 [INFO] Creating new GlobalRoleBinding for GlobalRoleBinding grb-qfhdn
2024/05/02 10:26:23 [INFO] [mgmt-auth-grb-controller] Creating clusterRoleBinding for globalRoleBinding grb-qfhdn for user u-r3tnxufjdy with role cattle-globalrole-user

Community links:

Resources:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment