Configure OIDC authentication with Keycloak
- Keycloak realm for Rancher
- Rancher OIDC authentication provider
Keycloak realm for Rancher
These instructions is specific to a setup made with Keycloak as an OIDC identity provider.
- Add to userinfo Group Membership type, claim name
- Add to userinfo Audience type, claim name
- Add to userinfo, full group path, Group Membership type, claim name
More on this on the official guide.
Rancher OIDC authentication provider
Configure an OIDC authentication provider, with Client with issuer, return URLs specific to the Keycloak setup.
Use old and Rancher-standard paths with
/authsubpath (see issues below).
Add custom paths, remove
/authsubpath in return and issuer URLs.
Configure Tenant users
- In Rancher, configure OIDC authentication with Keycloak to use with Rancher.
- In Keycloak, Create a Group in the rancher Realm: capsule.clastix.io.
- In Keycloak, Create a User in the rancher Realm, member of capsule.clastix.io Group.
- In the Kubernetes target cluster, update the
CapsuleConfigurationby adding the
- Login to Rancher with Keycloak with the new user.
- In Rancher as an administrator, set the user custom role with
- In Rancher as an administrator, add the Rancher user ID of the just-logged in user as Owner of a
- (optional) configure
Tenantto enable tenant users to access cluster-wide resources.