https://rancher.com/ logo
Join Slack
Powered by
This message was deleted.
# developer
a
This message was deleted.
s
This occurs for the user that configured the SAML Rancher Auth Provider via the UI. Other users should be able to log in via SAML and have a distinct principle used for permissions which is used for Auth inside the download kubeconfig file. Can you confirm what version you're using and very explicit steps to reproduce?
c
So we finally got it working correctly, the issue was that the field set as 
uid
was not present in the SAML payload. I would classify it as a bug as the default behavior if a required field is missing should be to fail or error vs providing admin rights.
s
Please can you confirm what version of rancher you're using?
c
Sorry, forgot that.. we are on 2.6.13
👍 1
@stocky-account-63046 Do you want me to create an issue for this on the rancher repo?
s
I've passed this on to an internal team who are currently investigating. I'll ask for an update
This has been investigated in both v2.7-head (very latest code) and 2.6.13. To quote
Copy code
In both cases, the kubeconfig was for a downstream cluster which I created as the original admin user, and then assigned to a SAML specific user.

The token present in the downloaded kubecfg matched the user logged in at the time in both cases
c
In our setup the parameter in Rancher set for userid was not in the SAML payload (.e.g. rancher told to look for 
uid
and it was being passed as 
username
in the SAML payload). When that happened a user was created in rancher for the inbound user but all of the information on the user matched that of the user used to create the saml connection - and the 
adfs_user://
is blank e.g.
Copy code
"principalIds": [
"<local://user-bwvxn>",
"adfs_user://"
],
the 
user-*
name provided in the kubeconf would be that of the admin user too. We recreated and saw this on 2.6.11, 2.6.12, and 2.6.13 before we finally caught the payload token mismatch in name
2 Views
Open in Slack
PreviousNext
Powered by