2. Configuring Rancher for Microsoft AD FS

After you complete Configuring Microsoft AD FS for Rancher, enter your Active Directory Federation Service (AD FS) information into Rancher so that AD FS users can authenticate with Rancher.

2. Configuring Rancher for Microsoft AD FS - 图1Important Notes For Configuring Your ADFS Server:

  • The SAML 2.0 WebSSO Protocol Service URL is: https://<RANCHER_SERVER>/v1-saml/adfs/saml/acs
  • The Relying Party Trust identifier URL is: https://<RANCHER_SERVER>/v1-saml/adfs/saml/metadata
  • You must export the federationmetadata.xml file from your AD FS server. This can be found at: https://<AD_SERVER>/federationmetadata/2007-06/federationmetadata.xml
  1. In the top left corner, click ☰ > Users & Authentication.

  2. In the left navigation menu, click Auth Provider.

  3. Click ADFS.

  4. Complete the Configure AD FS Account form. Microsoft AD FS lets you specify an existing Active Directory (AD) server. The configuration section below describe how you can map AD attributes to fields within Rancher.

  5. After you complete the Configure AD FS Account form, click Enable.

    Rancher redirects you to the AD FS login page. Enter credentials that authenticate with Microsoft AD FS to validate your Rancher AD FS configuration.

    2. Configuring Rancher for Microsoft AD FS - 图2note

    You may have to disable your popup blocker to see the AD FS login page.

Result: Rancher is configured to work with MS FS. Your users can now sign into Rancher using their MS FS logins.

Configuration

FieldDescription
Display Name FieldThe AD attribute that contains the display name of users.

Example: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
User Name FieldThe AD attribute that contains the user name/given name.

Example: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
UID FieldAn AD attribute that is unique to every user.

Example: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
Groups FieldMake entries for managing group memberships.

Example: http://schemas.xmlsoap.org/claims/Group
Rancher API HostThe URL for your Rancher Server.
Private Key / CertificateThis is a key-certificate pair to create a secure shell between Rancher and your AD FS. Ensure you set the Common Name (CN) to your Rancher Server URL.

Certificate creation command
Metadata XMLThe federationmetadata.xml file exported from your AD FS server.

You can find this file at https://<AD_SERVER>/federationmetadata/2007-06/federationmetadata.xml.

Example Certificate Creation Command

You can generate a certificate using an openssl command. For example:

  1. openssl req -x509 -newkey rsa:2048 -keyout myservice.key -out myservice.cert -days 365 -nodes -subj "/CN=myservice.example.com"