Configuring Azure AD
Available as of v2.0.3
If you have an instance of Active Directory (AD) hosted in Azure, you can configure Rancher to allow your users to log in using their AD accounts. Configuration of Azure AD external authentication requires you to make configurations in both Azure and Rancher.
Prerequisite: Have an instance of Azure AD configured.
Note: Most of this procedure takes place from the Microsoft Azure Portal.
Azure Active Directory Configuration Outline
Configuring Rancher to allow your users to authenticate with their Azure AD accounts involves multiple procedures. Review the outline below before getting started.
Tip: Before you start, we recommend creating an empty text file. You can use this file to copy values from Azure that you’ll paste into Rancher later.
- 1. Register Rancher with Azure
- 2. Create an Azure API Key
- 3. Set Required Permissions for Rancher
- 4. Add a Reply URL
- 5. Copy Azure Application Data
- 6. Configure Azure AD in Rancher
1. Register Rancher with Azure
Before enabling Azure AD within Rancher, you must register Rancher with Azure.
Log in to Microsoft Azure as an administrative user. Configuration in future steps requires administrative access rights.
Use search to open the App registrations service.
Click New application registration and complete the Create form.
Enter a Name (something like
From Application type, make sure that Web app / API is selected.
In the Sign-on URL field, enter the URL of your Rancher Server.
2. Create an Azure API Key
From the Azure portal, create an API key. Rancher will use this key to authenticate with Azure AD.
Use search to open App registrations services. Then open the entry for Rancher that you created in the last procedure.
Step Result: A new blade opens for Rancher.
From the Settings blade, select Keys.
From Passwords, create an API key.
Enter a Key description (something like
Select a Duration for the key. This drop-down sets the expiration date for the key. Shorter durations are more secure, but require you to create a new key after expiration.
Copy the key value and save it to an empty text file.
You’ll enter this key into the Rancher UI later as your Application Secret.
You won’t be able to access the key value again within the Azure UI.
3. Set Required Permissions for Rancher
Next, set API permissions for Rancher within Azure.
From the Settings blade, select Required permissions.
Click Windows Azure Active Directory.
From the Enable Access blade, select the following Delegated Permissions:
- Access the directory as the signed-in user
- Read directory data
- Read all groups
- Read all users’ full profiles
- Read all users’ basic profiles
- Sign in and read user profile
From Required permissions, click Grant permissions. Then click Yes.
Note: You must be signed in as an Azure administrator to successfully save your permission settings.
4. Add a Reply URL
To use Azure AD with Rancher you must whitelist Rancher with Azure. You can complete this whitelisting by providing Azure with a reply URL for Rancher, which is your Rancher Server URL followed with a verification path.
From the Setting blade, select Reply URLs.
From the Reply URLs blade, enter the URL of your Rancher Server, appended with the verification path:
Tip: You can find your personalized Azure reply URL in Rancher on the Azure AD Authentication page (Global View > Security Authentication > Azure AD).
Result: Your reply URL is saved.
Note: It can take up to five minutes for this change to take affect, so don’t be alarmed if you can’t authenticate immediately after Azure AD configuration.
5. Copy Azure Application Data
As your final step in Azure, copy the data that you’ll use to configure Rancher for Azure AD authentication and paste it into an empty text file.
Obtain your Rancher Tenant ID.
Use search to open the Azure Active Directory service.
From the Azure Active Directory menu, open Properties.
Copy the Directory ID and paste it into your text file.
You’ll paste this value into Rancher as your Tenant ID.
Obtain your Rancher Application ID.
Use search to open App registrations.
Find the entry you created for Rancher.
Copy the Application ID and paste it to your text file.
Obtain your Rancher Graph Endpoint, Token Endpoint, and Auth Endpoint.
From App registrations, click Endpoints.
Copy the following endpoints to your clipboard and paste them into your text file (these values will be your Rancher endpoint values).
- Microsoft Azure AD Graph API Endpoint (Graph Endpoint)
- OAuth 2.0 Token Endpoint (Token Endpoint)
- OAuth 2.0 Authorization Endpoint (Auth Endpoint)
6. Configure Azure AD in Rancher
From the Rancher UI, enter information about your AD instance hosted in Azure to complete configuration.
Enter the values that you copied to your text file.
Log into Rancher. From the Global view, select Security > Authentication.
Select Azure AD.
Complete the Configure Azure AD Account form using the information you copied while completing Copy Azure Application Data.
Important: When entering your Graph Endpoint, remove the tenant ID from the URL, like below.
The following table maps the values you copied in the Azure portal to the fields in Rancher.
Rancher Field Azure Value Tenant ID Directory ID Application ID Application ID Application Secret Key Value Endpoint https://login.microsoftonline.com/ Graph Endpoint Microsoft Azure AD Graph API Endpoint Token Endpoint OAuth 2.0 Token Endpoint Auth Endpoint OAuth 2.0 Authorization Endpoint
Click Authenticate with Azure.
Result: Azure Active Directory authentication is configured.