Configuring Azure Active Directory
If you have an instance of Active Directory (AD) hosted in Azure, you can configure Rancher to allow your users to log in using their AD accounts. Configuration of Azure AD external authentication requires you to make configurations in both Azure and Rancher.
Note: Most of this procedure, with the exception of Configure Azure AD in Rancher, takes place from the Microsoft Azure Portal.
Azure Active Directory Configuration Outline
Configuring Rancher to allow your users to authenticate with their Azure AD accounts involves multiple procedures. Review the outline below before getting started.
Tip: Before you start, we recommend creating an empty text file. You can use this file to copy values from Azure that you’ll paste into Rancher later.
Before enabling Azure AD within Rancher, you must register Rancher with Azure.
From the Azure portal, create an API key. Rancher will use this key to authenticate with AD.
Next, set API permissions for Rancher within Azure.
As your final step in Azure, copy the data that you’ll use to configure Rancher for Azure AD authentication.
From the Rancher UI, enter information about your AD instance hosted in Azure to complete configuration.
1. Register Rancher with Azure
Before enabling Azure AD within Rancher, you must register Rancher with Azure.
Log in to Microsoft Azure as an administrative user. Configuration in future steps requires administrative access rights.
Use search to open the App registrations service.
- Click New application registration and complete the Create form.
Enter a Name (something like
Rancher
).From Application type, make sure that Web app / API is selected.
In the Sign-on URL field, enter the URL of your Rancher Server.
Click Create.
2. Create an Azure API Key
From the Azure portal, create an API key. Rancher will use this key to authenticate with Azure AD.
- Use search to open App registrations services. Then open the entry for Rancher that you created in the last procedure.
????: A new blade opens for Rancher.
Click Settings.
From the Settings blade, select Keys.
From Passwords, create an API key.
Enter a Key description (something like
Rancher
).Select a Duration for the key. This drop-down sets the expiration date for the key. Shorter durations are more secure, but require you to create a new key after expiration.
Click Save (you don’t need to enter a value—it will automatically populate after you save).
Copy the key value and save it to an empty text file.
You’ll enter this key into the Rancher UI later as your Application Secret.
You won’t be able to access the key value again within the Azure UI.
3. Set Required Permissions for Rancher
Next, set API permissions for Rancher within Azure.
- From the Settings blade, select Required permissions.
Click Windows Azure Active Directory.
From the Enable Access blade, select the following Delegated Permissions:
- Access the directory as the signed-in user
- Read directory data
- Read all groups
- Read all users’ full profiles
- Read all users’ basic profiles
- Sign in and read user profile
Click Save.
From Required permissions, click Grant permissions. Then click Yes.
Note: You must be signed in as an Azure administrator to successfully save your permission settings.
4. Copy Azure Application Data
As your final step in Azure, copy the data that you’ll use to configure Rancher for Azure AD authentication and paste it into an empty text file.
Obtain your Rancher Tenant ID.
- Use search to open the Azure Active Directory service.
From the Azure Active Directory menu, open Properties.
Copy the Directory ID and paste it into your text file.
You’ll paste this value into Rancher as your Tenant ID.
Obtain your Rancher Application ID.
- Use search to open App registrations.
Find the entry you created for Rancher.
Copy the Application ID and paste it to your text file.
Obtain your Rancher Graph Endpoint, Token Endpoint, and Auth Endpoint.
- From App registrations, click Endpoints.
Copy the following endpoints to your clipboard and paste them into your text file (these values will be your Rancher endpoint values).
- Microsoft Azure AD Graph API Endpoint (Graph Endpoint)
- OAuth 2.0 Token Endpoint (Token Endpoint)
- OAuth 2.0 Authorization Endpoint (Auth Endpoint)
5. Configure Azure AD in Rancher
From the Rancher UI, enter information about your AD instance hosted in Azure to complete configuration.
Enter the values that you copied to your text file.
Log into Rancher. From the Global view, select Security > Authentication.
Select Azure AD.
Complete the Configure Azure AD Account form using the information you copied while completing Copy Azure Application Data.
Important: When entering your Graph Endpoint, remove the tenant ID from the URL, like below.
https://graph.windows.net/
abb5adde-bee8-4821-8b03-e63efdc7701c
The following table maps the values you copied in the Azure portal to the fields in Rancher. ~~~~
Rancher FieldAzure ValueTenant IDDirectory IDApplication IDApplication IDApplication SecretKey ValueEndpointhttps://login.microsoftonline.com/Graph EndpointMicrosoft Azure AD Graph API EndpointToken EndpointOAuth 2.0 Token EndpointAuth EndpointOAuth 2.0 Authorization Endpoint
- Click Authenticate with Azure.
Result: Azure Active Directory authentication is configured.