2. Configuring Rancher for Microsoft AD FS
After you complete Configuring Microsoft AD FS for Rancher, enter your Active Directory Federation Service (AD FS) information into Rancher so that AD FS users can authenticate with Rancher.
- The SAML 2.0 WebSSO Protocol Service URL is:
https://<RANCHER_SERVER>/v1-saml/adfs/saml/acs - The Relying Party Trust identifier URL is:
https://<RANCHER_SERVER>/v1-saml/adfs/saml/metadata - You must export the
federationmetadata.xmlfile from your AD FS server. This can be found at:https://<AD_SERVER>/federationmetadata/2007-06/federationmetadata.xml
In the top left corner, click ☰ > Users & Authentication.
In the left navigation menu, click Auth Provider.
Click ADFS.
Complete the Configure AD FS Account form. Microsoft AD FS lets you specify an existing Active Directory (AD) server. The configuration section below describe how you can map AD attributes to fields within Rancher.
After you complete the Configure AD FS Account form, click Enable.
Rancher redirects you to the AD FS login page. Enter credentials that authenticate with Microsoft AD FS to validate your Rancher AD FS configuration.
noteYou may have to disable your popup blocker to see the AD FS login page.
Result: Rancher is configured to work with MS FS. Your users can now sign into Rancher using their MS FS logins.
Configuration
| Field | Description |
|---|---|
| Display Name Field | The AD attribute that contains the display name of users. Example: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
| User Name Field | The AD attribute that contains the user name/given name. Example: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname |
| UID Field | An AD attribute that is unique to every user. Example: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn |
| Groups Field | Make entries for managing group memberships. Example: http://schemas.xmlsoap.org/claims/Group |
| Rancher API Host | The URL for your Rancher Server. |
| Private Key / Certificate | This is a key-certificate pair to create a secure shell between Rancher and your AD FS. Ensure you set the Common Name (CN) to your Rancher Server URL. Certificate creation command |
| Metadata XML | The federationmetadata.xml file exported from your AD FS server. You can find this file at https://<AD_SERVER>/federationmetadata/2007-06/federationmetadata.xml. |
Example Certificate Creation Command
You can generate a certificate using an openssl command. For example:
openssl req -x509 -newkey rsa:2048 -keyout myservice.key -out myservice.cert -days 365 -nodes -subj "/CN=myservice.example.com"
Configuring SAML Single Logout (SLO)
Rancher supports the ability to configure SAML SLO. Options include logging out of the Rancher application only, logging out of Rancher and registered applications tied to the external authentication provider, or a prompt asking the user to choose between the previous options. The steps below outline configuration from the application GUI:
The Log Out behavior configuration section only appears if the SAML authentication provider allows for SAML SLO.
Sign in to Rancher using a standard user or an administrator role to configure SAML SLO.
In the top left corner, click ☰ > Users & Authentication.
In the left navigation menu, click Auth Provider.
Under the section Log Out behavior, choose the appropriate SLO setting as described below:
Setting Description Log out of Rancher and not authentication provider Choosing this option will only logout the Rancher application and not external authentication providers. Log out of Rancher and authentication provider (includes all other applications registered with authentication provider) Choosing this option will logout Rancher and all external authentication providers along with any registered applications linked to the provider. Allow the user to choose one of the above in an additional log out step Choosing this option presents users with a choice of logout method as described above.