1. Configuring Microsoft AD FS for SUSE® Rancher Manager

Before you configure Rancher to support Active Directory Federation Service (AD FS), you must add Rancher as a relying party trust in AD FS.

  1. Log into your AD server as an administrative user.

  2. Open the AD FS Management console. Select Add Relying Party Trust... from the Actions menu and click Start.

    adfs overview

  3. Select Enter data about the relying party manually as the option for obtaining data about the relying party.

    adfs add rpt 2

  4. Enter your desired Display name for your Relying Party Trust. For example, Rancher.

    adfs add rpt 3

  5. Select AD FS profile as the configuration profile for your relying party trust.

    adfs add rpt 4

  6. Leave the optional token encryption certificate empty, as Rancher AD FS will not be using one.

    adfs add rpt 5

  7. Select Enable support for the SAML 2.0 WebSSO protocol and enter https://<rancher-server>/v1-saml/adfs/saml/acs for the service URL.

    adfs add rpt 6

  8. Add https://<rancher-server>/v1-saml/adfs/saml/metadata as the Relying party trust identifier.

    adfs add rpt 7

  9. This tutorial will not cover multi-factor authentication; please refer to the Microsoft documentation if you would like to configure multi-factor authentication.

    adfs add rpt 8

  10. From Choose Issuance Authorization RUles, you may select either of the options available according to use case. However, for the purposes of this guide, select Permit all users to access this relying party.

    adfs add rpt 9

  11. After reviewing your settings, select Next to add the relying party trust.

    adfs add rpt 10

  12. Select Open the Edit Claim Rules... and click Close.

    adfs add rpt 11

  13. On the Issuance Transform Rules tab, click Add Rule....

    adfs edit cr

  14. Select Send LDAP Attributes as Claims as the Claim rule template.

    adfs add tcr 1

  15. Set the Claim rule name to your desired name (for example, Rancher Attributes) and select Active Directory as the Attribute store. Create the following mapping to reflect the table below:

    | LDAP Attribute | Outgoing Claim Type | | ------------------------------ | ------------- | | Given-Name | Given Name | | User-Principal-Name | UPN | | Token-Groups - Qualified by Long Domain Name | Group | | SAM-Account-Name | Name |

    adfs add tcr 2

  16. Download the federationmetadata.xml from your AD server at:

    https://<AD_SERVER>/federationmetadata/2007-06/federationmetadata.xml

Result: You’ve added Rancher as a relying trust party. Now you can configure Rancher to leverage AD.