Does dex-k8s-authenticator support SAML settings?

mintel / dex-k8s-authenticator

A Kubernetes Dex Client Authenticator

MIT License

371 stars 146 forks source link

Does dex-k8s-authenticator support SAML settings? #100

Closed rca0 closed 5 years ago

rca0 commented 5 years ago

I am using Okta to login with DEX

In dex configurations i got login successful

But using dex-k8s-authenticator i got this error:

my configuration:

dexK8sAuthenticator:
  port: 5555
  debug: true
  web_path_prefix: /
  clusters:
  - name: XXXX
    short_description: "XXXX"
    description: "XXXX"
    issuer: http://k8s-dex.domain:5556/
    k8s_master_uri: https://api.k8s.domain
    client_id: XXXX
    client_secret: secret
    redirect_uri: http://k8s-login.domain:5555/callback/
    k8s_ca_pem: XYZ

service:
  annotations:
    dns.alpha.kubernetes.io/internal: "k8s-login.domain"
    service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
  type: ClusterIP
  port: 5555

I am reading the dex-k8s-authenticator code, but i not found SAML support settings.

Does dex-k8s-authenticator support SAML settings?

rca0 commented 5 years ago

I opened this issue because i not found any solutions for SAML, if someone have some suggestion i appreciate the help

nabadger commented 5 years ago

@rca0 SAML is supported (we use it), but it's configured in Dex (not dex-k8s-authenticator).

dex-k8s-authenticator doesn't require any knowledge of the authentication connector method (so you won't see a reference to it).

See

This would need to be configured in the Dex configmap.

nabadger commented 5 years ago

@rca0

This looks to me like an issue related to dex testing the client-secret

   if client.Secret != clientSecret {
                s.tokenErrHelper(w, errInvalidClient, "Invalid client credentials.", http.StatusUnauthorized)
                return
        }

Maybe check your client-secrets (see dex staticClients.secret) should match client_secret in dex-k8s-auth config.

rca0 commented 5 years ago

@nabadger

Thanks for your quick reply!!!

now i got it, maybe my SAML settings could be wrong, i am using okta to manage groups and users, i'll adjust my client-secrets

maybe i'm doing something wrong...i dont know if my settings it's right, this is my SAML settings in OKTA

dex settings

  connectors:
  - type: saml
    id: k8s-sandbox
    name: k8s-sandbox
    config:
      ssoURL: https://OKTA-LINK/sso/saml
      redirectURI: http://k8s-dex.domain:5556/callback
      usernameAttr: name
      emailAttr: email
      groupsAttr: groups
      caData: CADATA

  staticClients:
  - id: k8s-sandbox
    name: k8s-sandbox
    secret: CLIENT-SECRET
    redirectURIs:
      - http://k8s-login.domain:5555/callback/

nabadger commented 5 years ago

I think these settings look OK (similar to ours, although we don't use Okta).

I still think the error you see is un-related to SAML though, so hopefully if you validate the client-secrets it'll work :)

Something else that might be cause issues here is the callback URL.

Example:

   staticClients:
    - id: "dev1"
      name: "dev1"
      secret: my-secret
      redirectURIs:
      - https://dex-auth.mintel.com/callback/dev1

Note how the callback url has the suffix dev1

This also matches the cluster-name in the dex-k8s-auth configuration, such as:

apiVersion: v1
data:
  config.yaml: |-
    clusters:
      - name: "dev1"
        description: "A Dev1 Kubernetes Cluster"

rca0 commented 5 years ago

@nabadger

Thanks for all your help.

I found the problem, I was configured dex without SSL settings. I found in kubernetes documentation, the oidc plugin only accept HTTPS request, after set up dex with SSL all things works as well.