1. Configuring Microsoft AD FS for SUSE® Rancher Prime

Log into your AD server as an administrative user.

Open the AD FS Management console. Select Add Relying Party Trust... from the Actions menu and click Start.

Select Enter data about the relying party manually as the option for obtaining data about the relying party.

Enter your desired Display name for your Relying Party Trust. For example, Rancher.

Select AD FS profile as the configuration profile for your relying party trust.

Leave the optional token encryption certificate empty, as Rancher AD FS will not be using one.

Select Enable support for the SAML 2.0 WebSSO protocol and enter https://<rancher-server>/v1-saml/adfs/saml/acs for the service URL.

Add https://<rancher-server>/v1-saml/adfs/saml/metadata as the Relying party trust identifier.

This tutorial will not cover multi-factor authentication; please refer to the Microsoft documentation if you would like to configure multi-factor authentication.

From Choose Issuance Authorization RUles, you may select either of the options available according to use case. However, for the purposes of this guide, select Permit all users to access this relying party.

After reviewing your settings, select Next to add the relying party trust.

Select Open the Edit Claim Rules... and click Close.

On the Issuance Transform Rules tab, click Add Rule....

Select Send LDAP Attributes as Claims as the Claim rule template.

Set the Claim rule name to your desired name (for example, Rancher Attributes) and select Active Directory as the Attribute store. Create the following mapping to reflect the table below:

Download the federationmetadata.xml from your AD server at:

https://<AD_SERVER>/federationmetadata/2007-06/federationmetadata.xml