Integrating Azure Active Directory with Rancher

Introduction

Today we’ll be doing a post on how to integrate “Azure Active Directory” with my favorite docker orchestration tool “Rancher“. A few months back I issued a request towards the Rancher team (via Github) and it was added in the latest 1.1.0 release!

 

Authentication & Authorisation

So what can we do with it? The first thing I want to point out that in any identity process, there are two conceptual aspects;

  • Authentication ; Here you provide a way to prove that you are really you… This can be done via user/pass, certificates, … and so on.
  • Authorization ; Once your identity has been known, you can be granted with a given set of permissions (maybe grouped by role).

Why do I say this? It’s important to know that once you enable the AAD (Azure Active Directory) integration, this part will become responsible for the authentication part. Rancher UI (or Rancher Server) will remain responsible for the authorization part!

 

Identity Flow with the AAD integration

The following diagram will show you how the flow goes…

kvaes-rancher-azure-active-directory-integration

Setting up Azure Active Directory

Login to the classic Azure portal and navigate to your Azure Active Directory…  Here you should navigate to the “Applications” tab ;

2016-07-02 10_35_15-Active Directory - Microsoft Azure

Click on the “Add an application” link.

2016-07-02 10_35_30-Active Directory - Microsoft Azure

Select “Add an application my organization is developing”

2016-07-02 10_35_42-Active Directory - Microsoft Azure

Give it a name (for example “Rancher UI”), so that you can recognize the application in the future and select “Native Client Application”.

2016-07-02 10_36_03-Active Directory - Microsoft Azure

Give it a redirect URI. The content doesn’t really matter (I think), as I haven’t seen it being used in the Rancher integration. To finalize press the “V”-button. Afterwards you’ll be redirected to the application you just created. Navigate to the “Configure” tab.

2016-07-02 10_36_17-Active Directory - Microsoft Azure

In the “Configure”-tab, the first thing you’ll want to do is copy the “Client ID”. You’ll be needing this in a bit when configuring Rancher.

2016-07-02 10_36_34-Active Directory - Microsoft Azure

Next up, you’ll need to configure the right permissions this application will have on the “Windows Azure Active Directory”. Here I would suggest to grant the following permissions ;

  • Access the directory as the signed-in user
  • Read directory data
  • Read all groups
  • Read user’s full profiles

2016-07-02 10_36_57-Active Directory - Microsoft Azure

And offcourse, press “Save”.2016-07-02 10_37_09-

If you haven’t already… Be sure to create a kind of service/admin user in your Azure Active Directory that will be used by Rancher. In my example, I’ve created “rancher @ kvaes.be” for this…

Now one last thing, be sure to note your “Tenant ID”. The easiest way is to look at your address bar…

2016-07-02 11_20_42-Active Directory - Microsoft Azure

 

Configure Rancher

Now let’s configure Rancher! Browse to “admin” & then access “control”. Enter all the information we noted down in the previous phase…

2016-07-02 10_37_34-Rancher

And then click “Authenticate with Azure”. If all goes well, then you’ll see the following screen!

2016-07-02 10_37_52-Rancher

 

Test driving Rancher & Azure Active Directory!

Now let’s test this baby out!

2016-07-02 10_39_18-Rancher

The login works and I can see my user profile information that Rancher retrieved from AAD.

2016-07-02 10_39_52-Program Manager

And for another user…

2016-07-02 10_42_25-Program Manager

 

What kind of user accounts will work?

For those who are familiar with Azure Active Directory, there are several kind of users which you can provision…

2016-07-02 10_41_04-Active Directory - Microsoft AzureWhat is important to know…

2016-07-02 10_49_58-Active Directory - Microsoft Azure

That only native Azure Active Directory will work! Microsoft Accounts or B2B Accounts will NOT work!

 

TL;DR

  • Azure Active Directory integration in Rancher is now a fact!
  • Be sure to use a “native application” in AAD for Rancher
  • Only native AAD users will work. B2B & Microsoft accounts do not work.
Advertisements

5 thoughts on “Integrating Azure Active Directory with Rancher

  1. I don’t see why it would need the “admin account” credentials entered. Given correct permissions, the app should have the permissions it needs to authenticate/read user info without it. Essentially we need two sets of credentials (app creds + admin user creds) to configure Azure AD integration – that just seems wrong.

  2. What does the admin account actually do/ what is it used for? Finish something with app registration or something?

    1. My personal understanding is that the way Rancher looks at Azure AD is like working with LDAP ;

      “AZURE AD/OPENLDAP
      For Azure AD and OpenLDAP, any user that is a member of your setup will be able to access the Rancher site.” Source : https://docs.rancher.com/rancher/v1.3/en/configuration/access-control/

      As said in the previous comment, there is some room for improvement, as Azure AD truly shines on the typical webapp integration method (like for instance; OAuth).

  3. What it is the admin account exactly used for? Is it needed to finish up some app registration or something?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s