Configuring Azure AD
If you have an instance of Active Directory (AD) hosted in Azure, you can configure Rancher to allow your users to log in using their AD accounts. Configuration of Azure AD external authentication requires you to make configurations in both Azure and Rancher.
Note: Azure AD integration only supports Service Provider initiated logins.
Prerequisite: Have an instance of Azure AD configured.
Note: Most of this procedure takes place from the Microsoft Azure Portal.
Azure Active Directory Configuration Outline
Configuring Rancher to allow your users to authenticate with their Azure AD accounts involves multiple procedures. Review the outline below before getting started.
Tip: Before you start, we recommend creating an empty text file. You can use this file to copy values from Azure that you’ll paste into Rancher later.
- 1. Register Rancher with Azure
- 2. Create a new client secret
- 3. Set Required Permissions for Rancher
- 4. Add a Reply URL
- 5. Copy Azure Application Data
- 6. Configure Azure AD in Rancher
1. Register Rancher with Azure
Before enabling Azure AD within Rancher, you must register Rancher with Azure.
Log in to Microsoft Azure as an administrative user. Configuration in future steps requires administrative access rights.
Use search to open the App registrations service.
Click New registrations and complete the Create form.
Enter a Name (something like
Rancher
).From Supported account types, select “Accounts in this organizational directory only (AzureADTest only - Single tenant)” This corresponds to the legacy app registration options.
In the Redirect URI section, make sure Web is selected from the dropdown and enter the URL of your Rancher Server in the text box next to the dropdown. This Rancher server URL should be appended with the verification path:
<MY_RANCHER_URL>/verify-auth-azure
.
Tip: You can find your personalized Azure reply URL in Rancher on the Azure AD Authentication page (Global View > Security Authentication > Azure AD).
- Click Register.
Note: It can take up to five minutes for this change to take affect, so don’t be alarmed if you can’t authenticate immediately after Azure AD configuration.
2. Create a new client secret
From the Azure portal, create a client secret. Rancher will use this key to authenticate with Azure AD.
Use search to open App registrations services. Then open the entry for Rancher that you created in the last procedure.
From the navigation pane on left, click Certificates and Secrets.
Click New client secret.
Enter a Description (something like
Rancher
).Select duration for the key from the options under Expires. This drop-down sets the expiration date for the key. Shorter durations are more secure, but require you to create a new key after expiration.
Click Add (you don’t need to enter a value—it will automatically populate after you save).
Copy the key value and save it to an empty text file.
You’ll enter this key into the Rancher UI later as your Application Secret.
You won’t be able to access the key value again within the Azure UI.
3. Set Required Permissions for Rancher
Next, set API permissions for Rancher within Azure.
From the navigation pane on left, select API permissions.
Click Add a permission.
From the Azure Active Directory Graph, select the following Delegated Permissions:
- **Access the directory as the signed-in user**
- **Read directory data**
- **Read all groups**
- **Read all users’ full profiles**
- **Read all users’ basic profiles**
- **Sign in and read user profile**
Click Add permissions.
From API permissions, click Grant admin consent. Then click Yes.
Note: You must be signed in as an Azure administrator to successfully save your permission settings.
4. Add a Reply URL
To use Azure AD with Rancher you must whitelist Rancher with Azure. You can complete this whitelisting by providing Azure with a reply URL for Rancher, which is your Rancher Server URL followed with a verification path.
From the Setting blade, select Reply URLs.
From the Reply URLs blade, enter the URL of your Rancher Server, appended with the verification path:
<MY_RANCHER_URL>/verify-auth-azure
.Tip: You can find your personalized Azure reply URL in Rancher on the Azure AD Authentication page (Global View > Security Authentication > Azure AD).
Click Save.
Result: Your reply URL is saved.
Note: It can take up to five minutes for this change to take affect, so don’t be alarmed if you can’t authenticate immediately after Azure AD configuration.
5. Copy Azure Application Data
As your final step in Azure, copy the data that you’ll use to configure Rancher for Azure AD authentication and paste it into an empty text file.
Obtain your Rancher Tenant ID.
Use search to open the Azure Active Directory service.
From the left navigation pane, open Overview.
Copy the Directory ID and paste it into your text file.
You’ll paste this value into Rancher as your Tenant ID.
Obtain your Rancher Application ID.
Use search to open App registrations.
Find the entry you created for Rancher.
Copy the Application ID and paste it to your text file.
Obtain your Rancher Graph Endpoint, Token Endpoint, and Auth Endpoint.
From App registrations, click Endpoints.
Copy the following endpoints to your clipboard and paste them into your text file (these values will be your Rancher endpoint values).
- Microsoft Graph API endpoint (Graph Endpoint)
- OAuth 2.0 token endpoint (v1) (Token Endpoint)
- OAuth 2.0 authorization endpoint (v1) (Auth Endpoint)
Note: Copy the v1 version of the endpoints
6. Configure Azure AD in Rancher
From the Rancher UI, enter information about your AD instance hosted in Azure to complete configuration.
Enter the values that you copied to your text file.
- Log into Rancher.
- In the top left corner, click ☰ > Users & Authentication.
- In the left navigation menu, click Auth Provider.
- Click AzureAD.
Complete the Configure Azure AD Account form using the information you copied while completing Copy Azure Application Data.
Important: When entering your Graph Endpoint, remove the tenant ID from the URL, like below.
https://graph.windows.net/abb5adde-bee8-4821-8b03-e63efdc7701c
The following table maps the values you copied in the Azure portal to the fields in Rancher.
Rancher Field Azure Value Tenant ID Directory ID Application ID Application ID Application Secret Key Value Endpoint https://login.microsoftonline.com/ Graph Endpoint Microsoft Azure AD Graph API Endpoint Token Endpoint OAuth 2.0 Token Endpoint Auth Endpoint OAuth 2.0 Authorization Endpoint Click Enable.
Result: Azure Active Directory authentication is configured.