Suse-Rancher-integration-configuration-relying-party
2 years ago
Originally Published: 2021-10-28

 

SUSE Rancher v2.6.1 - Relying Party Configuration - SecurID Access Implementation Guide

This section describes how to integrate SecurID Access with SUSE Rancher using relying party. Relying party uses SAML 2.0 to integrate SecurID Access as a SAML Identity Provider (IdP) to SUSE Rancher SAML Service Provider (SP).

Architecture Diagram

gmoison_0-1635432543945.png

 

Configure SecurID Access Cloud Authentication Service

Perform these steps to configure SecurID Access Cloud Authentication Service(CAS) as a relying party SAML IdP to SUSE Rancher .

Procedure

  1. Sign into the SecurID Access Cloud Administration Console and browse to Authentication Clients > Relying Parties and click Add a Relying Party. Then select Add for a SAML service provider.

    gmoison_1-1635432579375.png

     

    gmoison_2-1635432592123.png

     

  2. On Basic Information page enter a Name for the application, ie. Rancher Then click on Next Step.

  3. On Authentication page.

    1. Select the RSA SecurID Access manages all authentication OR Service provider manages primary authentication, and RSA SecurID Access manages additional authentication.

    2. Select the desired Primary Authentication Method from the dropdown list.

    3. Select the desired policy from the Access Policy for Additional Authentication.

    4. Click Next Step.

      gmoison_3-1635432615571.png

       

  4. On Connection Profile page.

    1. Under the Service Provider Metadata section.

      gmoison_4-1635432689475.png

       

    2. Enter the Assertion Consumer Service (ACS) . Enter the value for the Assertion Consumer Service (ACS) URL . This is a well defined Rancher URL, https://<Rancher API Host >/v1-saml/adfs/saml/acs where host is the location of your Rancher instance. For example, https://<rancher-IP>/v1-saml/adfs/saml/acs. The Rancher API Host can be found in the Rancher SAML configuration page. The ACS will be dependent on the type of SAML Auth provider you choose.

    3. Enter the Service Provider Entity ID. Enter the value for the Service Provider(SP) Entity ID. This is a well defined Rancher URLhttps://<Rancher API Host >/v1-saml/adfs/saml/metadata where host is the location of your Rancher instance. The Rancher API Host can be found in the Rancher SAML configuration page. Some Rancher SAML types will let you define this in an Entity ID Field. The Entity ID will be dependent on the type of SAML Auth provider you choose.

    4. Uncheck SP signs SAML Requests.

    5. Click on Download Certificate. This is the IdP public certificate that will be used below in the Rancher configuration.

    6. Open Advanced Configuration section

      gmoison_5-1635432713739.png

       

    7. For Identifier TypeEmail Address choose mail for the Property.

    8. Create attributes that can be map to the required Rancher SAML configurations (Display Name, User Name, UID, Groups). The UID returned must map to the User ID in Rancher. To add these expand Advanced Configuration to add those attributes.

    9. Click Add for each giving an attribute name and the property that matches in the SecurID configuration.

      For example:

      Attribute NameProperty
      displayNamegivenName
      userNameemail
      UIDemail
      groupNameuser

      Note: SecurID does not current support the return of groups, Set this to a constant that maps to a group or role. It will be ignored on the side.

    10. Note/Copy the Identity Provider Entity ID field . For Example, https://rsa-securidtest-pe.securid.com/saml-fe/sso.

  5. Click on Save and Finish.

  6. Browse to Authentication Clients > Relying Parties

  7. Scroll down to the your newly created Relying party and click down arrow to Edit and choose View or Download IdP MetatData and save off the metadata to be used in the Rancher configuration below.

    gmoison_6-1635432763369.png

     

  8. Click on Publish Changes. Your application is now enabled for SSO. If you make any additional changes to the application configuration you will need to republish.

    gmoison_7-1635432787042.png

     

 

Configure SUSE Rancher

Perform these steps to configure SUSE Rancher as a Relying Party SAML SP to SecurID Access Cloud Authentication Service.

Procedure

  1. Login to Rancher as a user that can be authenticated against SecurID. The user is validated as part of the SAML enablement process.

  2. Under Configuration select Users and Authentication.

    gmoison_8-1635432821132.png

     

  3. Click on Auth Provider and then select a SAML provider. For example, select ADFS. Rancher does not currently have a generic or SecurID specific SAML provider. We will use the ADFS configuration to enable SecurID access via SAML.

    gmoison_9-1635432856098.png

     

  4. Fill in the required attribute fields with the corresponding attribute names configured in SecurID Access above.

    For example:

    Field Value
    Display NamedisplayName
    User NameuserName
    UIDUID
    GroupsgroupName

  5. For Private Key, upload your given private key.

  6. For Certificate, upload the IdP public certificate file downloaded above.

  7. For Metadata XML, upload the saved IdP Metadata XML file.

    gmoison_10-1635432894435.png

     

  8. Click Enable.

  9. You will be directed to a pop up to validate the SecurID Access configuration with a valid user. Once the login process is completed successfully you will be directed back to the Rancher Authentication Provider configuration page.

  10. Select the desired setting for who should be able to login and use Rancher.

  11. Click on Save.

  12. You are able to log into Rancher using the configured Authentication Provider.

    gmoison_11-1635432910431.png

     

 

Next Step: Proceed to the Use Case Configuration Summary section for information on how to apply the Relying Party configuration to your chosen use case.

 

Return to the main page for more certification related information.

 

Related Articles

Trending Articles

Don't see what you're looking for?