本文档采用自动化机器翻译技术翻译。 尽管我们力求提供准确的译文,但不对翻译内容的完整性、准确性或可靠性作出任何保证。 若出现任何内容不一致情况,请以原始 英文 版本为准,且原始英文版本为权威文本。

配置 Amazon Cognito

如果您的组织使用 Amazon Cognito 进行用户身份验证,您可以配置 Rancher 以允许使用 Amazon Cognito 凭据登录。以下说明描述了如何配置 Rancher 以与 Amazon Cognito 一起使用:

先决条件

  • 在 Rancher 中:

    • Amazon Cognito 已禁用。

      请参考 Amazon Cognito 文档 以配置用户池。

  • 在 Amazon Cognito 中:

    • 创建一个新的用户池或使用现有的用户池。

    • App client 设置中,将重定向 URL 设置为 https://yourRancherHostURL/verify-auth。将 yourRancherHostURL 替换为您的 Rancher 实例的实际主机名(例如,https://rancher.example.com/verify-auth)。

在 Rancher 中配置 Amazon Cognito

  1. 在 Rancher UI 的左上角,点击 ☰ > 用户与身份验证

  2. 在左侧导航栏中,点击 身份验证提供者

  3. 选择 Amazon Cognito

  4. 填写 配置 Amazon Cognito 账户 表单。有关填写表单的帮助,请参见 配置参考

  5. 单击 启用

    Rancher 会将您重定向到 Amazon Cognito 登录页面。输入您的 Amazon Cognito 凭据以验证您的 Rancher 配置。

    您可能需要禁用弹出窗口拦截器才能查看 Amazon Cognito 登录页面。

结果:Rancher 已配置为使用 OIDC 协议与您的 Amazon Cognito 配合工作。您的用户现在可以使用他们的 Amazon Cognito 登录信息登录 Rancher。

Amazon Cognito 不支持用户和组搜索。在为项目或集群分配权限时,如果用户尚未登录 Rancher,您必须手动输入 Cognito 生成的用户 ID。但是,如果用户之前已登录,您可以使用他们的用户名或电子邮件地址分配权限。

配置参考

字段 说明

客户机 ID

您 Amazon Cognito 应用客户端的客户端 ID。

客户端密钥

您 Amazon Cognito 应用客户端生成的密钥。

颁发者

您 Amazon Cognito 应用客户端的发行者 URL。它遵循格式`https://cognito-idp.{region}.amazonaws.com/{userPoolId}`,可以在应用客户端设置页面中找到。Rancher 使用发行者 URL 获取所有所需的 URL。

对PKCE扩展的OIDC支持

Rancher supports the Proof Key for Code Exchange (PKCE) extension (RFC 7636) for OIDC authentication providers. SHA-256 (S256) is the only supported PKCE verification method. To enable this feature, your authentication provider must use PKCE with S256 for authorization requests.

You can enable this feature by selecting Enable PKCE (S256) in your authentication provider configuration in Rancher. Enabling S256 PKCE token verification allows you to mitigate authorization code interception attacks during OIDC authentication flows.

查错

您没有被重定向到您的身份验证提供者。

如果您填写 配置 Amazon Cognito 账户 表单并点击 启用,但没有被重定向到 Amazon Cognito,请验证您的 Amazon Cognito 配置。

配置OIDC单点注销(SLO)

Rancher supports the ability to configure OIDC Single Logout (SLO). Options include logging out of the Rancher application only, logging out of Rancher and registered applications tied to the external authentication provider, or a prompt asking the user to choose between the previous options.

Prerequisites

Before configuring OIDC SLO, ensure the following is set up on your IdP:

  • SLO Support: The Log Out behavior configuration section only appears if your OIDC IdP allows for OIDC SLO.

  • Post-Logout Redirect URI: Your Rancher Server URL must be configured as an authorized post-logout redirect URI in your IdP’s OIDC client settings. This URL is used by the IdP to redirect a user back to Rancher after a successful external logout.

OIDC SLO Configuration

Configure the SLO settings when setting up or editing your OIDC authentication provider.

  1. Sign in to Rancher using a standard user or an administrator role.

  2. In the top left corner, select > Users & Authentication.

  3. In the left navigation menu, select Auth Provider.

  4. Under the section Log Out behavior, choose the appropriate SLO setting as described below:

    Setting Description

    Log out of Rancher and not authentication provider

    Choosing this option will only logout the Rancher application and not external authentication providers.

    Log out of Rancher and authentication provider (includes all other applications registered with authentication provider)

    Choosing this option will logout Rancher and all external authentication providers along with any registered applications linked to the provider.

    Allow the user to choose one of the above in an additional log out step

    Choosing this option presents users with a choice of logout method as described above.

  5. If you choose to log out of your IdP, provide an End Session Endpoint. Rancher uses this URL to initiate the external logout.

How to get the End Session Endpoint

The end_session_endpoint is one of the specific URLs published within a standardized JSON object containing the IdP’s metadata and is retrieved from the OIDC Discovery URL. To get the end_session_endpoint from the OIDC Discovery URL, follow these steps:

  1. Obtain the Discovery URL by appending the IdP Issuer URL with the well-known path (.well-known/openid-configuration).

  2. Send an HTTP GET request to the Discovery URL.

  3. In the JSON object, look for the key named end_session_endpoint and retrieve the URL.

    You can also use a curl command to retrieve end_session_endpoint:

    curl -s <ISSUER_URL>/.well-known/openid-configuration | jq '.end_session_endpoint'