Closed rca0 closed 5 years ago
I opened this issue because i not found any solutions for SAML, if someone have some suggestion i appreciate the help
@rca0 SAML is supported (we use it), but it's configured in Dex (not dex-k8s-authenticator).
dex-k8s-authenticator doesn't require any knowledge of the authentication connector method (so you won't see a reference to it).
See
This would need to be configured in the Dex configmap.
@rca0
This looks to me like an issue related to dex testing the client-secret
if client.Secret != clientSecret {
s.tokenErrHelper(w, errInvalidClient, "Invalid client credentials.", http.StatusUnauthorized)
return
}
Maybe check your client-secrets (see dex staticClients.secret
) should match client_secret
in dex-k8s-auth config.
@nabadger
Thanks for your quick reply!!!
now i got it, maybe my SAML settings could be wrong, i am using okta to manage groups and users, i'll adjust my client-secrets
maybe i'm doing something wrong...i dont know if my settings it's right, this is my SAML settings in OKTA
dex settings
connectors:
- type: saml
id: k8s-sandbox
name: k8s-sandbox
config:
ssoURL: https://OKTA-LINK/sso/saml
redirectURI: http://k8s-dex.domain:5556/callback
usernameAttr: name
emailAttr: email
groupsAttr: groups
caData: CADATA
staticClients:
- id: k8s-sandbox
name: k8s-sandbox
secret: CLIENT-SECRET
redirectURIs:
- http://k8s-login.domain:5555/callback/
I think these settings look OK (similar to ours, although we don't use Okta).
I still think the error you see is un-related to SAML though, so hopefully if you validate the client-secrets it'll work :)
Something else that might be cause issues here is the callback URL.
Example:
staticClients:
- id: "dev1"
name: "dev1"
secret: my-secret
redirectURIs:
- https://dex-auth.mintel.com/callback/dev1
Note how the callback url has the suffix dev1
This also matches the cluster-name in the dex-k8s-auth configuration, such as:
apiVersion: v1
data:
config.yaml: |-
clusters:
- name: "dev1"
description: "A Dev1 Kubernetes Cluster"
@nabadger
Thanks for all your help.
I found the problem, I was configured dex without SSL settings. I found in kubernetes documentation, the oidc plugin only accept HTTPS request, after set up dex with SSL all things works as well.
I am using Okta to login with DEX
In dex configurations i got login successful
But using dex-k8s-authenticator i got this error:
my configuration:
I am reading the dex-k8s-authenticator code, but i not found SAML support settings.
Does dex-k8s-authenticator support SAML settings?