1. Configuring Microsoft AD FS for SUSE® Rancher Manager
Before you configure Rancher to support Active Directory Federation Service (AD FS), you must add Rancher as a relying party trust in AD FS.
-
Log into your AD server as an administrative user.
-
Open the AD FS Management console. Select Add Relying Party Trust... from the Actions menu and click Start.
-
Select Enter data about the relying party manually as the option for obtaining data about the relying party.
-
Enter your desired Display name for your Relying Party Trust. For example,
Rancher
. -
Select AD FS profile as the configuration profile for your relying party trust.
-
Leave the optional token encryption certificate empty, as Rancher AD FS will not be using one.
-
Select Enable support for the SAML 2.0 WebSSO protocol and enter
https://<rancher-server>/v1-saml/adfs/saml/acs
for the service URL. -
Add
https://<rancher-server>/v1-saml/adfs/saml/metadata
as the Relying party trust identifier. -
This tutorial will not cover multi-factor authentication; please refer to the Microsoft documentation if you would like to configure multi-factor authentication.
-
From Choose Issuance Authorization RUles, you may select either of the options available according to use case. However, for the purposes of this guide, select Permit all users to access this relying party.
-
After reviewing your settings, select Next to add the relying party trust.
-
Select Open the Edit Claim Rules... and click Close.
-
On the Issuance Transform Rules tab, click Add Rule....
-
Select Send LDAP Attributes as Claims as the Claim rule template.
-
Set the Claim rule name to your desired name (for example,
Rancher Attributes
) and select Active Directory as the Attribute store. Create the following mapping to reflect the table below:| LDAP Attribute | Outgoing Claim Type | | ------------------------------ | ------------- | | Given-Name | Given Name | | User-Principal-Name | UPN | | Token-Groups - Qualified by Long Domain Name | Group | | SAM-Account-Name | Name |
-
Download the
federationmetadata.xml
from your AD server at:https://<AD_SERVER>/federationmetadata/2007-06/federationmetadata.xml
Result: You’ve added Rancher as a relying trust party. Now you can configure Rancher to leverage AD.