Help with Shibboleth

Rancher 1.x
1

Hi folks!
Congrats for all the new features. Rancher community is growing fast and Rancher is becoming THE alternative to paid and privative solutions as Docker Cloud, and also more user-friendly.

I am trying to setup Shibboleth auth in order to integrate a SSO solutions through all the services deployed using Rancher, including Rancher itself.

I am using Wso2IS and in order to setup SAML as an identity provider I need to know many details about the service provider (Rancher) that I cannot find at Rancher control access page.

Has anybody configured Shibboleth as authorization for Rancher and is able to help me moving forward with this issue??

2

What do you need to know? But we call it “Shibboleth” and not “SAML” specifically because we only test that implementation and expect there would likely be changes needed to work with others (having learned this from calling AD support “LDAP”…).

3

I am using WSO2is (I hava a dockerized version at my custom catalog: https://github.com/EduCaaS/catalog) as LDAP and Shibboleth in another container with https://github.com/jtgasper3/docker-shibboleth-idp.
I have built Idp XML metadata using https://www.samltool.com/idp_metadata.php and I get:

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
                     validUntil="2017-01-11T12:51:25Z"
                     cacheDuration="PT1484571085S"
                     entityID="https://is.educaas.io/idp/shibboleth">
    <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
       <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
                               Location="https://is.educaas.io/idp/profile/SAML2/Redirect/SSO"/>
    </md:IDPSSODescriptor>
</md:EntityDescriptor>

But when testing the connection I am get:

Web Login Service - Unsupported Request
The application you have accessed is not registered for use with this service

I am afraid I am not able to register Rancher as a Service provider… or something…

4

The above error is due to your Shibboleth IDP is not recognizing Rancher’s Shibboleth SP.

  1. You need to save the Rancher SP’s metadata file (this should be available at http://rancher_ip:rancher_port/v1-auth/saml/metadata) on your IDP and add an entry into /opt/shibboleth-idp/conf/metadata-providers.xml
    [https://wiki.shibboleth.net/confluence/display/IDP30/FilesystemMetadataProvider]

  2. You also need to release the SAML attributes to Rancher’s SP, by changing
    /opt/shibboleth-idp/conf/attribute-filter.xml
    [https://wiki.shibboleth.net/confluence/display/IDP30/AttributeFilterConfiguration]
    Here you need to add into the < PolicyRequirementRule> another rule:
    <Rule xsi:type="Requester" value="http://rancher_ip:rancher_port/v1-auth/saml/metadata" /> in here with your Rancher setup’s ip address

  3. restart tomcat on your IDP

5

Still getting the same error. What is the URL I have to add into attribute-filter.xml ??

6

You should put the entityID of Rancher SP, which should be:
“http://rancher_ip:rancher_port/v1-auth/saml/metadata”

Looks like some stuff I wrote in the previous comment was not shown due to not using correct markdown. Check again please

7

Yep, that was already the URL. Still unable to setup…