Skip to content

Configuring Keycloak with Rancher to Enable Client Signature & Encryption Assertion

Article Number: 000022332

Environment

Rancher v2.x
Keycloak v25+

Situation

Attempting to secure a Rancher environment's authentication with Client Signature and Encryption in Keycloak v25+ results in users not being able to complete the authentication process. Specifically the connection fails during the EncryptedAssertion phase.

Upon testing the Authentication Provider in the Rancher UI the user is correctly redirected to the Keycloak Clients Login Page. However, during the login the authentication fails and displays "Logging in failed: Your account may not be authorized to log in.", per the screenshot below.

Cause

Keycloak (specifically versions 25 and 26+) defaults to modern encryption algorithms (AES-GCM and SHA-256 for RSA-OAEP digests). The SAML library used by Rancher currently requires older, more compatible algorithms for the decryption handshake to succeed. If these are not manually adjusted, Rancher will fail to process the EncryptedAssertion, resulting in a 401/3 error or a login loop. Rancher GitHub Issue #50666 is tracking a change in the Rancher behaviour.

Resolution

1. Generate the Certificate Pair

Rancher requires a matching X.509 certificate and private key. Use OpenSSL to generate a self-signed pair:

openssl req -x509 -newkey rsa:4096 -keyout rancher_auth.key -out rancher_auth.cert -days 3650 -nodes -subj "/CN=rancher-saml"

2. Keycloak Client Configuration

In the Keycloak Admin Console, navigate to Clients > [Your Rancher Client] and apply the following settings:

Keys Tab:

  • Client Signature Required: ON
  • Encrypt Assertions: ON
  • Certificate: Import rancher_auth.cert into both the Signing and Encryption configuration boxes.

Settings Tab: (Signature and Encryption Section)

To resolve the "Algorithm not implemented" error, you must match these exact settings to ensure compatibility with Rancher's xmlsec library:

  • Encryption Algorithm: AES_128_CBC (Note: AES-GCM is not supported by Rancher SAML)
  • Key Transport Algorithm: RSA-OAEP-MGF1P
  • Digest method for RSA-OAEP: SHA-1
  • Mask generation function: mgf1sha1
  • Force Name ID Format: ON (unspecified)

3. Rancher Authentication Configuration

In the Rancher UI (Authentication > Keycloak SAML), ensure the following fields are mapped correctly:

  • Entity ID Field: (Must match Keycloak Client ID)
  • Private Key: Paste the contents of rancher_auth.key
  • Certificate: Paste the contents of rancher_auth.cert
  • User Name Field: username
  • Groups Field: groups
  • Metadata XML: Use the IdP Metadata exported from Keycloak (Realm Settings > Endpoints).