SUSE Rancher v2.6.1 - SAML SSO Agent Configuration - SecurID Access Implementation Guide

This section describes how to integrate SecurID Access with SUSE Rancher using a SAML SSO Agent.

Architecture Diagram

Configure SecurID Access Cloud Authentication Service

Perform these steps to configure SecurID Access Cloud Authentication Service(CAS) as an SSO Agent SAML IdP to SUSE Rancher.

Procedure

1. Sign into the SecurID Access Cloud Administration Console and browse to Applications > Application Catalog.

2. Click on Create From Template then click Select for SAML Direct.

3. On Basic Information page enter a Name for the application, ie. Rancher Then click on Next Step.

4. On Connection Profile page.

   1. Choose SP-Initiated.

      

       

   
   
   1. In Connection URL enter the Rancher Service Provider(SP) Entity ID from step k below. For example, https://<Rancher API Host >/v1-saml/adfs/saml/metadata.
   2. For Binding Method for SAML Request select Redirect.

   3. Note the Identity Provider URL and Issuer Entity ID. These values are automatically generated. They may be needed later for the configuration of Rancher.

      

       

   4. Click on Generate Cert Bundle, set a a common name for your company certificate. Then click Generate and Download .

   5. Select Choose File and upload the private key from the generated certificate bundle.

   6. Select Choose File and upload the cert.pem from the generated certificate bundle. This is the IdP public certificate.

   7. Select Include Certificate on Outgoing Assertion.

   8. Scroll down to Service Provider section.

   9. For the Assertion Consumer Service (ACS) enter the value for the Assertion Consumer Service (ACS) URL . This is a well defined Rancher URL, https://<Rancher API Host >/v1-saml/adfs/saml/acs where host is the location of your Rancher instance. For example, https://<rancher-IP>/v1-saml/adfs/saml/acs. The Rancher API Host can be found in the Rancher SAML configuration page. The ACS will be dependent on the type of SAML Auth provider you choose.

   10. For the Audience (Service Provider Issuer ID) enter the value for the Service Provider(SP) Entity ID. This is a well defined Rancher URLhttps://<Rancher API Host >/v1-saml/adfs/saml/metadata where host is the location of your Rancher instance. The Rancher API Host can be found in the Rancher SAML configuration page. Some Rancher SAML types will let you define this in an Entity ID Field. The Entity ID will be dependent on the type of SAML Auth provider you choose. .

       

        

   11. Scroll down to User Identity section.

   12. Ensure Identifier Type = Email Address, set your Identity Source and Property = mail.

       

        

   13. Create attributes that can be map to the required Rancher SAML configurations (Display Name, User Name, UID, Groups). The UID returned must map to the User ID in Rancher. To add these expand Advanced Configuration to add those attributes.

   14. Click Add for each giving an attribute name and the property that matches in the SecurID configuration.

       For example:

       Attribute Name	Property
       displayName	givenName
       userName	email
       UID	email
       groupName	user

       Note: SecurID does not current support the return of groups, Set this to a constant that maps to a group or role. It will be ignored on the side.

   15. Click Next Step.

5. On User Access page select the Access Policy you require. Allow All Authenticated Users is the least restrictive. Click Next Step.

   

    

6. On Portal Display Page.

   1. Select Display in Portal.

   2. Upload an Application Icon if you wish.

   3. Set an Application Tooltip if you wish.

   4. Click on Save and Finish.

7. For this new Connector, click on the down arrow next to the Edit button and Export Metadata to save off the IDP metadata information for configuration of SUSE.

8. Click on Publish Changes. Your application is now enabled for SSO. If you make any additional changes to the application configuration you will need to republish.

   

    

    

Configure SUSERancher

Perform these steps to configure SUSERancher as an SSO Agent SAML SP to SecurID Access Cloud Authentication Service.

Procedure

1. Login to Rancher as a user that can be authenticated against SecurID. The user is validated as part of the SAML enablement process.

2. Under Configuration select Users and Authentication.

   

    

3. Click on Auth Provider and then select a SAML provider. For example, select ADFS. Rancher does not currently have a generic or SecurID specific SAML provider. We will use the ADFS configuration to enable SecurID access via SAML.

   

    

4. Fill in the required attribute fields with the corresponding attribute names configured in SecurID Access above.

   For example:

   Field	Value
   Display Name	displayName
   User Name	userName
   UID	UID
   Groups	groupName

5. For Private Key, upload your given private key.

6. For Certificate, upload the IdP public certificate file downloaded above.

7. For Metadata XML, upload the saved IdP Metadata XML file.

   

    

8. Click Enable.

9. You will be directed to a pop up to validate the SecurID Access configuration with a valid user. Once the login process is completed successfully you will be directed back to the Rancher Authentication Provider configuration page.

10. Select the desired setting for who should be able to login and use Rancher.

11. Click on Save.

12. You are able to log into Rancher using the configured Authentication Provider. For example, Log in with ADFS.

    

     

Next Step: Proceed to the Use Case Configuration Summary section for information on how to apply the SAML SSO Agent configuration to your use case.

Return to the main page for more certification related information.