RFE: Allow users to authenticate with more than one Identity Provider.

[mak3r]

Feature Request Please add the ability to allow users to authenticate with more than one Identity Provider. Also please consider adding the ability to authenticate with multiple identity providers of different types. For example allow a user to select authentication via Azure AD or Github or an LDAP provider or a SAML provider.

Environment information Any modern Rancher version >= 2.x

[vincent99]

You can already go to the API and turn them all on today and the login page will work; this is disabled in the UI because the problems aren't in authenticating, but in if and how they work together once enabled:

• Associating & disassociating multiple provider identities to a single rancher user

• Merging and splitting accounts when someone gets the association wrong, and reassigning ownership of the resources they created

• The ability to read information about an identity/search for people in provider 1 while logged in via provider 2 varies by provider

• Unclear behaviors, like if you have 2 providers associated to a single account, one provider is in restricted mode and doesn't include you and the other does. Should you be able to login with neither, one, or both?

• Varying definitions of "multiple". Can there be more than one config for a single provider, e.g. "Coke" and "Pepsi" in one Rancher install and they can each tie in their own AD server? That is an additional entire layer of complexity to add "Domains" or "Organizations" as a new top-level resource that owns most of what used to be global.

[nickvth]

multiple AD would be nice

[asemen2608]

Some customers would like to know on which Rancher version this RFE multiple AD could be implemented?

[steffeneichler]

We need that feature too. We have two AD domains with a trust between these. The possibility to enable both would be great.

[derska]

Truly needed!!

[asemen2608]

Could it be added to Rancher v2.5.3?

gz#13125

[steffeneichler]

2.5.3 would be great.

Von: Andrej Semen notifications@github.com Gesendet: Mittwoch, 11. November 2020 10:57 An: rancher/rancher rancher@noreply.github.com Cc: Eichler, Steffen ; Comment comment@noreply.github.com Betreff: Re: [rancher/rancher] RFE: Allow users to authenticate with more than one Identity Provider. (#17514)

Could it be added to Rancher v2.5.3?

— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://github.com/rancher/rancher/issues/17514#issuecomment-725325685, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ANYK7WFH2BVLF6TBS4KVKE3SPJNXNANCNFSM4GRTP2MA.

[anjuls]

We have a usecase to have multiple Authentication mechanism, is it possible to provide the documentation on how to enable it via the API? @vincent99

[vincent99]

Go to /v3/authConfigs to see the configs, you just PUT to update the appropriate /v3/authConfigs/{id} with the config you want (including enabled: true). You cannot have more than one of the type (e.g. two ActiveDirectories).

In 2.6+ you can also go to the UI and change the URL to /dashboard/c/local/auth/config/the_auth_provider_you_want and I think it will let you setup a 2nd one even though the UI would normally just show you the one that's already on.

This is not a tested or support (commercially or otherwise) configuration and we will probably not fix any bugs you find related to having multiple on at the same time.

[Martin-Weiss]

Are there any plans to support multiple identity providers from the same type? We have to connect multiple active directory forests / domains.

[vincent99]

We have no plans to support multiple of any kind that I know of. The ability to do multiple of the same kind would be an additional set of problems and changes beyond that, on the backend and frontend.