Configure PingIdentity (SAML)

If your organization uses Ping Identity Provider (IdP) for user authentication, you can configure Rancher to allow your users to log in using their IdP credentials.

Prerequisites:

  • You must have a Ping IdP Server configured.
  • Following are the Rancher Service Provider URLs needed for configuration: Metadata URL: https://<rancher-server>/v1-saml/ping/saml/metadata Assertion Consumer Service (ACS) URL: https://<rancher-server>/v1-saml/ping/saml/acs Note that these URLs will not return valid data until the authentication configuration is saved in Rancher.
  • Export a metadata.xml file from your IdP Server. For more information, see the PingIdentity documentation.
  1. In the top left corner, click ☰ > Users & Authentication.

  2. In the left navigation menu, click Auth Provider.

  3. Click Ping Identity.

  4. Complete the Configure a Ping Account form. Ping IdP lets you specify what data store you want to use. You can either add a database or use an existing ldap server. For example, if you select your Active Directory (AD) server, the examples below describe how you can map AD attributes to fields within Rancher.

    1. Display Name Field: Enter the AD attribute that contains the display name of users (example: displayName).

    2. User Name Field: Enter the AD attribute that contains the user name/given name (example: givenName).

    3. UID Field: Enter an AD attribute that is unique to every user (example: sAMAccountName, distinguishedName).

    4. Groups Field: Make entries for managing group memberships (example: memberOf).

    5. Entity ID Field (optional): The published, protocol-dependent, unique identifier of your partner. This ID defines your organization as the entity operating the server for SAML 2.0 transactions. This ID may have been obtained out-of-band or via a SAML metadata file.

    6. Rancher API Host: Enter the URL for your Rancher Server.

    7. Private Key and Certificate: This is a key-certificate pair to create a secure shell between Rancher and your IdP.

      You can generate one using an openssl command. For example:

      1. openssl req -x509 -newkey rsa:2048 -keyout myservice.key -out myservice.cert -days 365 -nodes -subj "/CN=myservice.example.com"
    8. IDP-metadata: The metadata.xml file that you exported from your IdP server.

  5. After you complete the Configure Ping Account form, click Enable.

    Rancher redirects you to the IdP login page. Enter credentials that authenticate with Ping IdP to validate your Rancher PingIdentity configuration.

    Configure PingIdentity (SAML) - 图1note

    You may have to disable your popup blocker to see the IdP login page.

Result: Rancher is configured to work with PingIdentity. Your users can now sign into Rancher using their PingIdentity logins.

Configure PingIdentity (SAML) - 图2SAML Provider Caveats:

  • SAML Protocol does not support search or lookup for users or groups. Therefore, there is no validation on users or groups when adding them to Rancher.
  • When adding users, the exact user IDs (i.e. UID Field) must be entered correctly. As you type the user ID, there will be no search for other user IDs that may match.
  • When adding groups, you must select the group from the drop-down that is next to the text box. Rancher assumes that any input from the text box is a user.
  • The group drop-down shows only the groups that you are a member of. You will not be able to add groups that you are not a member of.

Configuring SAML Single Logout (SLO)

Rancher supports the ability to configure SAML SLO. Options include logging out of the Rancher application only, logging out of Rancher and registered applications tied to the external authentication provider, or a prompt asking the user to choose between the previous options. The steps below outline configuration from the application GUI:

Configure PingIdentity (SAML) - 图3note

The Log Out behavior configuration section only appears if the SAML authentication provider allows for SAML SLO.

  1. Sign in to Rancher using a standard user or an administrator role to configure SAML SLO.

  2. In the top left corner, click ☰ > Users & Authentication.

  3. In the left navigation menu, click Auth Provider.

  4. Under the section Log Out behavior, choose the appropriate SLO setting as described below:

    SettingDescription
    Log out of Rancher and not authentication providerChoosing this option will only logout the Rancher application and not external authentication providers.
    Log out of Rancher and authentication provider (includes all other applications registered with authentication provider)Choosing this option will logout Rancher and all external authentication providers along with any registered applications linked to the provider.
    Allow the user to choose one of the above in an additional log out stepChoosing this option presents users with a choice of logout method as described above.