Configure Generic OIDC

Generic OpenID Connect (OIDC) allows users to sign in to Rancher using their credentials from their existing account at an OIDC Identity Provider (IdP). Rancher supports integration with the OIDC protocol and the SAML protocol. Both implementations are functionally equivalent when used with Rancher. The following instructions describe how to create an OIDC client and configure Rancher to work with your authentication provider. Users can then sign into Rancher using their login from the OIDC IdP.

Prerequisites

Identity Provider

In Rancher, Generic OIDC is disabled.

note

Consult the documentation for your specific IdP to complete the listed prerequisites.

OIDC Client

In your IdP, create a new client with the settings below:

Setting	Value
Client ID	<CLIENT_ID> (e.g. rancher)
Name	<CLIENT_NAME> (e.g. rancher)
Client Protocol	openid-connect
Access Type	confidential
Valid Redirect URI	https://yourRancherHostURL/verify-auth

In the new OIDC client, create mappers to expose the user's fields.

1. Create a new Groups Mapper with the settings below:

   Setting	Value
   Name	Groups Mapper
   Mapper Type	Group Membership
   Token Claim Name	groups
   Add to ID token	OFF
   Add to access token	OFF
   Add to user info	ON

2. Create a new Client Audience with the settings below:

   Setting	Value
   Name	Client Audience
   Mapper Type	Audience
   Included Client Audience	CLIENT_NAME
   Add to access token	ON

3. Create a new Groups Path with the settings below.

   Setting	Value
   Name	Group Path
   Mapper Type	Group Membership
   Token Claim Name	full_group_path
   Full group path	ON
   Add to user info	ON

danger

Rancher uses the value received in the "sub" claim to form the PrincipalID which is the unique identifier in Rancher. It is important to make this a value that is unique and immutable.

Configuring Generic OIDC in Rancher

1. In the upper left corner of the Rancher UI, click ☰ > Users & Authentication.

2. In the left navigation bar, click Auth Provider.

3. Select Generic OIDC.

4. Complete the Configure an OIDC account form. For help with filling the form, see the configuration reference.

5. Click Enable.

   Rancher will redirect you to the IdP login page. Enter your IdP credentials to validate your Rancher Keycloak configuration.

   note

   You may need to disable your popup blocker to see the IdP login page.

Result: Rancher is configured to work with your provider using the OIDC protocol. Your users can now sign into Rancher using their IdP logins.

Custom Claim Mapping

Custom claim mapping within the Generic OIDC configuration is supported for name, email and groups claims. This allows you to manually map these OIDC claims when your IdP doesn't use standard names in tokens.

How a Custom Groups Claim Works

A custom groups claim influences how user groups work:

• If both the standard OIDC groups claim and the custom groups claim are present in the user's token, the custom claim supplements the list of groups provided by the standard claim.
• If there is no standard groups claim in the token, the groups listed in the custom claim will form the user's only groups.

note

There is no search functionality available for groups sourced from a custom claim. To assign a role to one of these groups, you must manually enter the group's exact name into the RBAC field.

Configuring Custom Claims

When on the Configure an OIDC account form:

1. Select Add custom claims.
2. Add your custom name, email or groups claims to the appropriate Custom Claims field.

For example, if your IdP sends groups in a claim called custom_roles, enter custom_roles into the Custom Groups Claim field. Rancher then supplements the standard OIDC groups claim or looks for that specific claim when processing the user's token.

Configuration Reference

Field	Description
Client ID	The Client ID of your OIDC client.
Client Secret	The generated Secret of your OIDC client.
Private Key/Certificate	A key/certificate pair to create a secure shell between Rancher and your IdP. Required if HTTPS/SSL is enabled on your OIDC server.
Endpoints	Choose whether to use the generated values for the Rancher URL, Issue, and Auth Endpoint fields or to provide manual overrides if incorrect.
Rancher URL	The URL for your Rancher Server.
Issuer	The URL of your IdP. If your provider has discovery enabled, Rancher uses the Issuer URL to fetch all of the required URLs.
Auth Endpoint	The URL where users are redirected to authenticate.

Custom Claims

Custom Claim Field	Default OIDC Claim	Custom Claim Description
Custom Name Claim	name	The name of the claim in the OIDC token that contains the user's full name or display name.
Custom Email Claim	email	The name of the claim in the OIDC token that contains the user's email address.
Custom Groups Claim	groups	The name of the claim in the OIDC token that contains the user's group memberships (used for RBAC).

Troubleshooting

If you are experiencing issues while testing the connection to the OIDC server, first double-check the configuration options of your OIDC client. You can also inspect the Rancher logs to help pinpoint what's causing issues. Debug logs may contain more detailed information about the error. Please refer to How can I enable debug logging in this documentation.

All Generic OIDC related log entries are prepended with either [generic oidc] or [oidc].

You are not redirected to your authentication provider

If you fill out the Configure a Generic OIDC account form and click on Enable, and you are not redirected to your IdP, verify your OIDC client configuration.

The generated Issuer and Auth Endpoint are incorrect

If the Issuer and Auth Endpoint are generated incorrectly, open the Configure an OIDC account form, change Endpoints to Specify (advanced) and override the Issuer value.

Error: "Invalid grant_type"

In some cases, the "Invalid grant_type" error message may be misleading and is actually caused by setting the Valid Redirect URI incorrectly.

Configuring OIDC Single Logout (SLO)

Rancher supports the ability to configure OIDC Single Logout (SLO). Options include logging out of the Rancher application only, logging out of Rancher and registered applications tied to the external authentication provider, or a prompt asking the user to choose between the previous options.

Prerequisites

Before configuring OIDC SLO, ensure the following is set up on your IdP:

• SLO Support: The Log Out behavior configuration section only appears if your OIDC IdP allows for OIDC SLO.
• Post-Logout Redirect URI: Your Rancher Server URL must be configured as an authorized post-logout redirect URI in your IdP's OIDC client settings. This URL is used by the IdP to redirect a user back to Rancher after a successful external logout.

OIDC SLO Configuration

Configure the SLO settings when setting up or editing your OIDC authentication provider.

1. Sign in to Rancher using a standard user or an administrator role.

2. In the top left corner, select ☰ > Users & Authentication.

3. In the left navigation menu, select Auth Provider.

4. Under the section Log Out behavior, choose the appropriate SLO setting as described below:

   Setting	Description
   Log out of Rancher and not authentication provider	Choosing this option will only logout the Rancher application and not external authentication providers.
   Log out of Rancher and authentication provider (includes all other applications registered with authentication provider)	Choosing this option will logout Rancher and all external authentication providers along with any registered applications linked to the provider.
   Allow the user to choose one of the above in an additional log out step	Choosing this option presents users with a choice of logout method as described above.

5. If you choose to log out of your IdP, provide an End Session Endpoint. Rancher uses this URL to initiate the external logout.

How to get the End Session Endpoint

The end_session_endpoint is one of the specific URLs published within a standardized JSON object containing the IdP's metadata and is retrieved from the OIDC Discovery URL. To get the end_session_endpoint from the OIDC Discovery URL, follow these steps:

1. Obtain the Discovery URL by appending the IdP Issuer URL with the well-known path (.well-known/openid-configuration).

2. Send an HTTP GET request to the Discovery URL.

3. In the JSON object, look for the key named end_session_endpoint and retrieve the URL.

   You can also use a curl command to retrieve end_session_endpoint:

   curl -s <ISSUER_URL>/.well-known/openid-configuration | jq '.end_session_endpoint'