2. Configuring SUSE® Rancher Prime for Microsoft AD FS

After you complete Configuring Microsoft AD FS for Rancher, enter your Active Directory Federation Service (AD FS) information into Rancher so that AD FS users can authenticate with Rancher.

Important Notes For Configuring Your ADFS Server:

  1. In the top left corner, click ☰ > Users & Authentication.

  2. In the left navigation menu, click Auth Provider.

  3. Click ADFS.

  4. Complete the Configure AD FS Account form. Microsoft AD FS lets you specify an existing Active Directory (AD) server. The configuration section below describe how you can map AD attributes to fields within Rancher.

  5. After you complete the Configure AD FS Account form, click Enable.

    Rancher redirects you to the AD FS login page. Enter credentials that authenticate with Microsoft AD FS to validate your Rancher AD FS configuration.

    You may have to disable your popup blocker to see the AD FS login page.

Result: Rancher is configured to work with MS FS. Your users can now sign into Rancher using their MS FS logins.

Configuration

Field Description

Display Name Field

The AD attribute that contains the display name of users.

Example: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

User Name Field

The AD attribute that contains the user name/given name.

Example: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

UID Field

An AD attribute that is unique to every user.

Example: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn

Groups Field

Make entries for managing group memberships.

Example: http://schemas.xmlsoap.org/claims/Group

Rancher API Host

The URL for your Rancher Server.

Private Key / Certificate

This is a key-certificate pair to create a secure shell between Rancher and your AD FS. Ensure you set the Common Name (CN) to your Rancher Server URL.

Certificate creation command

Metadata XML

The federationmetadata.xml file exported from your AD FS server.

You can find this file at https://<AD_SERVER>/federationmetadata/2007-06/federationmetadata.xml.

Example Certificate Creation Command

You can generate a certificate using an openssl command. For example:

openssl req -x509 -newkey rsa:2048 -keyout myservice.key -out myservice.cert -days 365 -nodes -subj "/CN=myservice.example.com"

CNI Community Popularity

Rancher supports the ability to configure SAML SLO. Options include logging out of the Rancher application only, logging out of Rancher and registered applications tied to the external authentication provider, or a prompt asking the user to choose between the previous options. The steps below outline configuration from the application GUI:

The Log Out behavior configuration section only appears if the SAML authentication provider allows for SAML SLO.

  1. Sign in to Rancher using a standard user or an administrator role to configure SAML SLO.

  2. In the top left corner, click ☰ > Users & Authentication.

  3. In the left navigation menu, click Auth Provider.

  4. Under the section Log Out behavior, choose the appropriate SLO setting as described below:

    Setting Description

    Log out of Rancher and not authentication provider

    Choosing this option will only logout the Rancher application and not external authentication providers.

    Log out of Rancher and authentication provider (includes all other applications registered with authentication provider)

    Choosing this option will logout Rancher and all external authentication providers along with any registered applications linked to the provider.

    Allow the user to choose one of the above in an additional log out step

    Choosing this option presents users with a choice of logout method as described above.