1. Configuring Microsoft AD FS for Rancher

Before you configure Rancher to support Active Directory Federation Service (AD FS), you must add Rancher as a relying party trust in AD FS.

  1. Log into your AD server as an administrative user.

  2. Open the AD FS Management console. Select Add Relying Party Trust... from the Actions menu and click Start.

    1. Configuring Microsoft AD FS for Rancher - 图1

  3. Select Enter data about the relying party manually as the option for obtaining data about the relying party.

    1. Configuring Microsoft AD FS for Rancher - 图2

  4. Enter your desired Display name for your Relying Party Trust. For example, Rancher.

    1. Configuring Microsoft AD FS for Rancher - 图3

  5. Select AD FS profile as the configuration profile for your relying party trust.

    1. Configuring Microsoft AD FS for Rancher - 图4

  6. Leave the optional token encryption certificate empty, as Rancher AD FS will not be using one.

    1. Configuring Microsoft AD FS for Rancher - 图5

  7. Select Enable support for the SAML 2.0 WebSSO protocol and enter https://<rancher-server>/v1-saml/adfs/saml/acs for the service URL.

    1. Configuring Microsoft AD FS for Rancher - 图6

  8. Add https://<rancher-server>/v1-saml/adfs/saml/metadata as the Relying party trust identifier.

    1. Configuring Microsoft AD FS for Rancher - 图7

  9. This tutorial will not cover multi-factor authentication; please refer to the Microsoft documentation if you would like to configure multi-factor authentication.

    1. Configuring Microsoft AD FS for Rancher - 图8

  10. From Choose Issuance Authorization RUles, you may select either of the options available according to use case. However, for the purposes of this guide, select Permit all users to access this relying party.

    1. Configuring Microsoft AD FS for Rancher - 图9

  11. After reviewing your settings, select Next to add the relying party trust.

    1. Configuring Microsoft AD FS for Rancher - 图10

  12. Select Open the Edit Claim Rules... and click Close.

    1. Configuring Microsoft AD FS for Rancher - 图11

  13. On the Issuance Transform Rules tab, click Add Rule....

    1. Configuring Microsoft AD FS for Rancher - 图12

  14. Select Send LDAP Attributes as Claims as the Claim rule template.

    1. Configuring Microsoft AD FS for Rancher - 图13

  15. Set the Claim rule name to your desired name (for example, Rancher Attributes) and select Active Directory as the Attribute store. Create the following mapping to reflect the table below:

    LDAP AttributeOutgoing Claim Type
    Given-NameGiven Name
    User-Principal-NameUPN
    Token-Groups - Qualified by Long Domain NameGroup
    SAM-Account-NameName
  1. ![](https://ranchermanager.docs.rancher.com/assets/images/adfs-add-tcr-2-1df3e491a28f8cbd8cbe305d2617ac6d.png)
  1. Download the federationmetadata.xml from your AD server at:
  1. https://<AD_SERVER>/federationmetadata/2007-06/federationmetadata.xml

Result: You’ve added Rancher as a relying trust party. Now you can configure Rancher to leverage AD.

Next: Configuring Rancher for Microsoft AD FS