SUSE Support

Here When You Need Us

Understanding Rancher-ADFS Authentication Workflow After Rancher 2.10.x Upgrade

This document (000021814) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Rancher version 2.10.x, upgraded from 2.9.x or earlier, with authentication configured using Active Directory Federation Services (ADFS) integration.


Situation

Starting with Rancher 2.10.x, the SAML authentication workflow between Rancher and ADFS has changed significantly. The key change is that SAML requests from Rancher are now signed, requiring proper certificate configuration on both sides. After upgrading to Rancher 2.10.x, users may experience authentication failures when attempting to log in via ADFS if certificates are not properly configured according to this new workflow.

Resolution

A] New Installation

1] Prepare certificates:

Generate a certificate and private key for your Rancher server:

openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes -subj "/CN=rancher.example.com"

Note: Replace rancher.example.com with the actual Rancher URL

2] Configure ADFS for Rancher:

  • Follow: Configure ADFS for Rancher
  • In ADFS Management Console, update or create Relying Party Trust for Rancher
  • Add Rancher's certificate to signature verification
    • Navigate to Relying Party Trust → Properties → Signature tab → Add
    • Select the same certificate (cert.pem) configured in Rancher
    • This enables ADFS to validate Rancher's signed SAML requests

3] Configure Rancher for ADFS Authentication

  1. Follow: Configure Rancher for MS ADFS
  2.  Make sure to configure the following:
    • Certificate: Add the certificate (cert.pem) generated in step 1]
    • Private Key: Add the private key (key.pem)  generated in step 1]
  3. Save the configuration

B] Existing Setup

If it's an existing setup, update or create Relying Party Trust for Rancher. Add Rancher's certificate to signature verification:

    • Navigate to Relying Party Trust → Properties → Signature tab → Add
    • Select the same certificate (cert.pem) configured in Rancher
    • This enables ADFS to validate Rancher's signed SAML requests

Cause

In Rancher 2.10.x, SAML requests sent from Rancher to ADFS are now signed as an additional security measure. This requires a specific trust configuration:

  • Rancher obtains ADFS's certificate via the federation metadata XML to validate responses from ADFS (already in place)
  • ADFS now needs Rancher's certificate to validate signed requests from Rancher (new in 2.10.x)

The general workflow is as follows:

  1. User initiates login: User clicks on ADFS login option in Rancher UI
  2. Rancher generates SAML request: Rancher creates a SAML authentication request
  3. Rancher signs the request: Using its private key (new in 2.10.x)
  4. Request sent to ADFS: Signed request is redirected to ADFS
  5. ADFS validates signature: Using Rancher's certificate configured in Relying Party Trust
  6. Response sent to Rancher: ADFS redirects back to Rancher with response
  7. Rancher validates response: Using ADFS certificate obtained from the federation metadata

Status

Top Issue

Additional Information

The Rancher GitHub issue #48655 mentions this change, noting that ADFS Relying Party Trust needs to pick up a signature verification certificate from metadata or have it manually added.

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000021814
  • Creation Date: 30-Apr-2025
  • Modified Date:15-May-2025
    • SUSE Rancher

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

tick icon

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

tick icon

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

tick icon

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.