rancher: Configuring Keycloak (SAML) authentication fails with decoding error

Rancher Server Setup

  • Rancher version: 2.5.8
  • Keycloak 1.11.0

Describe the bug Configuring Keycloak (SAML) authentication fails with the following error:

Unknown error: SAML: cannot initialize saml SP, cannot decode IDP Metadata content from the config

To Reproduce

Follow the documentation to configure Keycloak as authentication provider:

https://rancher.com/docs/rancher/v2.5/en/admin-settings/authentication/keycloak/

Result

When clicking on “Authenticate with Keycloak” after having completed the configuration an error is thrown in the UI and Rancher server logs. See below for full log.

Newer versions of Keycloak generate IDPSSO Metadata XML that defines different namespaces (e.g. md or ds) which Rancher appears not being able to parse.

Applying the documented workaround of removing EntitiesDescriptor does not fix the issue.

Example Metadata:

<md:EntityDescriptor Name="urn:keycloak" entityID="https://dims.toolbox.gdis-np.aws.signintra.net/auth/realms/dims">
<md:IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo>
....

Results in this error:

error expected element <EntityDescriptor> in name space urn:oasis:names:tc:SAML:2.0:metadata but have md

Expected Result

Authentication should be successfully enabled. Valid XML should not result in parsing failure.

Screenshots

Screenshot 2021-07-21 at 14 04 54

Additional context

Rancher Server Log:

rancher-log.txt

SURE-3187

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 15 (9 by maintainers)

Most upvoted comments

@ryansann and I verified that the Keycloak returns proper XML with all the IDP info for all versions. The problem is how some browsers display it. We need to mention in the docs that some browsers (Firefox, in particular) may render/process the document such that the contents appear to have been modified, and some attributes appear to be missing. Users should ideally copy the raw response and use it. There is nothing to fix on our part.

Let me know when it’s confirmed and I’ll move this into rancher/docs and we’ll get it in the queue. Thank you.