Understanding Rancher-ADFS Authentication Workflow After Rancher 2.10.x Upgrade
This document (000021814) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Rancher version 2.10.x, upgraded from 2.9.x or earlier, with authentication configured using Active Directory Federation Services (ADFS) integration.
Situation
Starting with Rancher 2.10.x, the SAML authentication workflow between Rancher and ADFS has changed significantly. The key change is that SAML requests from Rancher are now signed, requiring proper certificate configuration on both sides. After upgrading to Rancher 2.10.x, users may experience authentication failures when attempting to log in via ADFS if certificates are not properly configured according to this new workflow.
Resolution
A] New Installation
1] Prepare certificates:
Generate a certificate and private key for your Rancher server:
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes -subj "/CN=rancher.example.com"
Note: Replace rancher.example.com with the actual Rancher URL
2] Configure ADFS for Rancher:
- Follow: Configure ADFS for Rancher
- In ADFS Management Console, update or create Relying Party Trust for Rancher
- Add Rancher's certificate to signature verification
-
- Navigate to Relying Party Trust → Properties → Signature tab → Add
- Select the same certificate (cert.pem) configured in Rancher
- This enables ADFS to validate Rancher's signed SAML requests
3] Configure Rancher for ADFS Authentication
- Follow: Configure Rancher for MS ADFS
- Make sure to configure the following:
- Certificate: Add the certificate (cert.pem) generated in step 1]
- Private Key: Add the private key (key.pem) generated in step 1]
- Save the configuration
B] Existing Setup
If it's an existing setup, update or create Relying Party Trust for Rancher. Add Rancher's certificate to signature verification:
-
- Navigate to Relying Party Trust → Properties → Signature tab → Add
- Select the same certificate (cert.pem) configured in Rancher
- This enables ADFS to validate Rancher's signed SAML requests
Cause
In Rancher 2.10.x, SAML requests sent from Rancher to ADFS are now signed as an additional security measure. This requires a specific trust configuration:
- Rancher obtains ADFS's certificate via the federation metadata XML to validate responses from ADFS (already in place)
- ADFS now needs Rancher's certificate to validate signed requests from Rancher (new in 2.10.x)
The general workflow is as follows:
- User initiates login: User clicks on ADFS login option in Rancher UI
- Rancher generates SAML request: Rancher creates a SAML authentication request
- Rancher signs the request: Using its private key (new in 2.10.x)
- Request sent to ADFS: Signed request is redirected to ADFS
- ADFS validates signature: Using Rancher's certificate configured in Relying Party Trust
- Response sent to Rancher: ADFS redirects back to Rancher with response
- Rancher validates response: Using ADFS certificate obtained from the federation metadata
Status
Additional Information
The Rancher GitHub issue #48655 mentions this change, noting that ADFS Relying Party Trust needs to pick up a signature verification certificate from metadata or have it manually added.
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000021814
- Creation Date: 30-Apr-2025
- Modified Date:15-May-2025
-
- SUSE Rancher
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com