Skip to content

What information is stored from external Auth providers like Azure AD?

Article Number: 000021084

Environment

Rancher v2.x with an external auth provider configured

Situation

When using external auth providers a frequently asked question is what information does rancher import from the auth provider and where does it store it.

Resolution

Rancher imports the UUIDs of users and groups. 

A local user is made at first login and mapped to the external UUID. 

The Azure AD example here:

Principal Ids:

 azuread_user://a913127f-02ec-4820-b5c8-7e240a4e63d0

 local://u-qmxsorn2uz

Further that users group membership is mapped in userattributes:

  Azuread:
    Principalid:
      azuread_user://6a5547cc-5e77-4187-8114-420a43fbda8a
.....
Group Principals:
  Azuread:
    Items:
      Display Name:  Rancher
      Member Of:     true
      Metadata:
        Creation Timestamp:  <nil>
        Name:                azuread_group://ac3dc906-cdf7-4357-997e-931e6b783a1c
      Principal Type:        group
      Provider:              azuread
      Display Name:          TestProject
      Member Of:             true
      Metadata:
        Creation Timestamp:  <nil>
        Name:                azuread_group://4c21bffd-c79e-4420-8070-a2609417842f
      Principal Type:        group
      Provider:              azuread

 

Finally the group UUIDs are also used to map to (global)rolebindings:

Group Principal Name: azuread_group://4c21bffd-c79e-4420-8070-a2609417842f