Merge pull request #1591 from pratikjagrut/ISSUE-48146

btat · web-flow · commit 5491e66d8ab0 · 2025-02-04T15:21:16.000-08:00
Add troubleshooting note for group visibility issue in Assign Global Role
diff --git a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-oidc.md b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-oidc.md
@@ -156,3 +156,20 @@ When you fill the **Configure a Keycloak OIDC account** form and click on **Enab
 ### Keycloak Error: "Invalid grant_type"
 
   * In some cases, this error message may be misleading and is actually caused by setting the `Valid Redirect URI` incorrectly.
+
+### Unable to See Groups When Assigning Global Roles
+
+If you use a user that is not part of any groups for initial setup, then you cannot search for groups when trying to assign a global role. 
+To resolve this, you can either:
+
+1. Manually edit the `authconfig/keycloakoidc` object to enable group search.
+  
+    1. On the Rancher server:
+     ```bash
+     kubectl edit authconfigs.management.cattle.io keycloakoidc
+     ```
+    2. Set `groupSearchEnabled: true`.
+    3. Save your changes.
+ 
+2. Reconfigure your Keycloak OIDC setup using a user that is assigned to at least one group in Keycloak.
+
diff --git a/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-oidc.md b/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-oidc.md
@@ -147,3 +147,19 @@ When you fill the **Configure a Keycloak OIDC account** form and click on **Enab
 ### Keycloak Error: "Invalid grant_type"
 
   * In some cases, this error message may be misleading and is actually caused by setting the `Valid Redirect URI` incorrectly.
+
+### Unable to See Groups When Assigning Global Roles
+
+If you use a user that is not part of any groups for initial setup, then you cannot search for groups when trying to assign a global role. 
+To resolve this, you can either:
+
+1. Manually edit the `authconfig/keycloakoidc` object to enable group search.
+  
+    1. On the Rancher server:
+     ```bash
+     kubectl edit authconfigs.management.cattle.io keycloakoidc
+     ```
+    2. Set `groupSearchEnabled: true`.
+    3. Save your changes.
+ 
+2. Reconfigure your Keycloak OIDC setup using a user that is assigned to at least one group in Keycloak.
diff --git a/versioned_docs/version-2.9/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-oidc.md b/versioned_docs/version-2.9/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-oidc.md
@@ -156,3 +156,19 @@ When you fill the **Configure a Keycloak OIDC account** form and click on **Enab
 ### Keycloak Error: "Invalid grant_type"
 
   * In some cases, this error message may be misleading and is actually caused by setting the `Valid Redirect URI` incorrectly.
+
+### Unable to See Groups When Assigning Global Roles
+
+If you use a user that is not part of any groups for initial setup, then you cannot search for groups when trying to assign a global role. 
+To resolve this, you can either:
+
+1. Manually edit the `authconfig/keycloakoidc` object to enable group search.
+  
+    1. On the Rancher server:
+     ```bash
+     kubectl edit authconfigs.management.cattle.io keycloakoidc
+     ```
+    2. Set `groupSearchEnabled: true`.
+    3. Save your changes.
+ 
+2. Reconfigure your Keycloak OIDC setup using a user that is assigned to at least one group in Keycloak.
