Understanding Rancher-ADFS Authentication Workflow After Rancher 2.10.x Upgrade

SUSE Rancher version 2.10.x, upgraded from 2.9.x or earlier, with authentication configured using Active Directory Federation Services (ADFS) integration.

Starting with Rancher 2.10.x, the SAML authentication workflow between Rancher and ADFS has changed significantly. The key change is that SAML requests from Rancher are now signed, requiring proper certificate configuration on both sides. After upgrading to Rancher 2.10.x, users may experience authentication failures when attempting to log in via ADFS if certificates are not properly configured according to this new workflow.

A] New Installation

1] Prepare certificates:

Generate a certificate and private key for your Rancher server:

openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes -subj "/CN=rancher.example.com"

Note: Replace rancher.example.com with the actual Rancher URL

2] Configure ADFS for Rancher:

• Follow: Configure ADFS for Rancher
• In ADFS Management Console, update or create Relying Party Trust for Rancher
• Add Rancher's certificate to signature verification

• • Navigate to Relying Party Trust → Properties → Signature tab → Add
  • Select the same certificate (cert.pem) configured in Rancher
  • This enables ADFS to validate Rancher's signed SAML requests

3] Configure Rancher for ADFS Authentication

1. Follow: Configure Rancher for MS ADFS
2.  Make sure to configure the following:
   • Certificate: Add the certificate (cert.pem) generated in step 1]
   • Private Key: Add the private key (key.pem)  generated in step 1]
3. Save the configuration

B] Existing Setup

If it's an existing setup, update or create Relying Party Trust for Rancher. Add Rancher's certificate to signature verification:

• • Navigate to Relying Party Trust → Properties → Signature tab → Add
  • Select the same certificate (cert.pem) configured in Rancher
  • This enables ADFS to validate Rancher's signed SAML requests

In Rancher 2.10.x, SAML requests sent from Rancher to ADFS are now signed as an additional security measure. This requires a specific trust configuration:

• Rancher obtains ADFS's certificate via the federation metadata XML to validate responses from ADFS (already in place)
• ADFS now needs Rancher's certificate to validate signed requests from Rancher (new in 2.10.x)

The general workflow is as follows:

1. User initiates login: User clicks on ADFS login option in Rancher UI
2. Rancher generates SAML request: Rancher creates a SAML authentication request
3. Rancher signs the request: Using its private key (new in 2.10.x)
4. Request sent to ADFS: Signed request is redirected to ADFS
5. ADFS validates signature: Using Rancher's certificate configured in Relying Party Trust
6. Response sent to Rancher: ADFS redirects back to Rancher with response
7. Rancher validates response: Using ADFS certificate obtained from the federation metadata

The Rancher GitHub issue #48655 mentions this change, noting that ADFS Relying Party Trust needs to pick up a signature verification certificate from metadata or have it manually added.