Today we’ll be doing a post on how to integrate “Azure Active Directory” with my favorite docker orchestration tool “Rancher“. A few months back I issued a request towards the Rancher team (via Github) and it was added in the latest 1.1.0 release!
Authentication & Authorisation
So what can we do with it? The first thing I want to point out that in any identity process, there are two conceptual aspects;
- Authentication ; Here you provide a way to prove that you are really you… This can be done via user/pass, certificates, … and so on.
- Authorization ; Once your identity has been known, you can be granted with a given set of permissions (maybe grouped by role).
Why do I say this? It’s important to know that once you enable the AAD (Azure Active Directory) integration, this part will become responsible for the authentication part. Rancher UI (or Rancher Server) will remain responsible for the authorization part!
Identity Flow with the AAD integration
The following diagram will show you how the flow goes…
Setting up Azure Active Directory
Login to the classic Azure portal and navigate to your Azure Active Directory… Here you should navigate to the “Applications” tab ;
Click on the “Add an application” link.
Select “Add an application my organization is developing”
Give it a name (for example “Rancher UI”), so that you can recognize the application in the future and select “Native Client Application”.
Give it a redirect URI. The content doesn’t really matter (I think), as I haven’t seen it being used in the Rancher integration. To finalize press the “V”-button. Afterwards you’ll be redirected to the application you just created. Navigate to the “Configure” tab.
In the “Configure”-tab, the first thing you’ll want to do is copy the “Client ID”. You’ll be needing this in a bit when configuring Rancher.
Next up, you’ll need to configure the right permissions this application will have on the “Windows Azure Active Directory”. Here I would suggest to grant the following permissions ;
- Access the directory as the signed-in user
- Read directory data
- Read all groups
- Read user’s full profiles
If you haven’t already… Be sure to create a kind of service/admin user in your Azure Active Directory that will be used by Rancher. In my example, I’ve created “rancher @ kvaes.be” for this…
Now one last thing, be sure to note your “Tenant ID”. The easiest way is to look at your address bar…
Now let’s configure Rancher! Browse to “admin” & then access “control”. Enter all the information we noted down in the previous phase…
And then click “Authenticate with Azure”. If all goes well, then you’ll see the following screen!
Test driving Rancher & Azure Active Directory!
Now let’s test this baby out!
The login works and I can see my user profile information that Rancher retrieved from AAD.
And for another user…
What kind of user accounts will work?
For those who are familiar with Azure Active Directory, there are several kind of users which you can provision…
That only native Azure Active Directory will work! Microsoft Accounts or B2B Accounts will NOT work!
- Azure Active Directory integration in Rancher is now a fact!
- Be sure to use a “native application” in AAD for Rancher
- Only native AAD users will work. B2B & Microsoft accounts do not work.