When you enable add a default IdP and multiple identity providers (IdPs) for SAML, the platform will automatically add the appropriate security beans configuration from your Abiquo properties.
However, during future updates to the platform, there may be other changes to security beans.
In this case, you will need to restore the security beans for the additional IdPs.
Upgrade steps for SAML with default and multiple
...
IdP
To incorporate any changes, when you upgrade Abiquo, do these steps:
Before the upgrade go to your SAML configuration at:
Code Block /opt/abiquo/tomcat/webapps/api/WEB-INF/classes/springresources/security/saml
and back up the following security beans files:- security-saml-generated-beans.xml
- security-saml-provided-beans.xml
- After the upgrade, you may find new files with the extension of ".rpmnew"
- Move any old files and rename the new files to the original file names
- Edit the new files and make the changes as described below.
SAML security beans and default IDP configuration
To add the SAML security beans for your IdP providers and set the defaultIDP property in the metadata attribute:
...
Create the defaultIDP property after the constructor arg
Code Block <property name="defaultIDP" value="${abiquo.saml.metadata.identityprovider.default.id}"/>Add beans for each IdP to the list in the constructor that starts with 0. For example here we added a reference to bean "ipdMetadataDelegate1"
Code Block <constructor-arg> <list> <ref bean="ipdMetadataDelegate"/> <ref bean="ipdMetadataDelegate2"/>Copy the first bean and modify it to create a second bean.
Change the bean ID to match the IdP ID from the list above
Code Block <bean id="ipdMetadataDelegate2"
In the value, set the item to get the IdP path from the IdP list in the abiquo.properties file. For our example, add a "1" .
Code Block <bean class="org.opensaml.util.resource.FilesystemResource"> <constructor-arg value="#{'${abiquo.saml.metadata.identityprovider.path}'.split(',')[1]}" />
Example of
...
IdP metadata from Abiquo 5.2.1
This example is a guide to the initial configuration that abiquo will create when you first configure SAML with multiple IdPsconfiguration of SAML IdPs. It shows a single IdP.
Remember that you must use any file added to your system as part of the upgrade. Do not copy this file!
| Code Block |
|---|
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security" xmlns:context="http://www.springframework.org/schema/context" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd"> <!-- IdPIPD and SP metadata definition --> <bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager"> <constructor-arg> <list> <ref bean="ipdMetadataDelegatespMetadataDelegate"/> <ref bean="ipdMetadataDelegate2ipdMetadataDelegate"/> </list> </constructor-arg> <property name="defaultIDP" value="${abiquo.saml.metadata.identityprovider.default.id}"/> </bean> <bean id="ipdMetadataDelegate0spMetadataDelegate" class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate"> <constructor-arg> <bean class="org.opensaml.saml2.metadata.provider.ResourceBackedMetadataProvider"> <constructor-arg> <bean class="java.util.Timer"/> </constructor-arg> <constructor-arg> <bean class="org.opensaml.util.resource.FilesystemResource"> <constructor-arg value="${abiquo.saml.metadata.identityproviderserviceprovider.path-1}" /> </bean> </constructor-arg> <property name="parserPool" ref="parserPool"/> </bean> </constructor-arg> <constructor-arg> <bean class="org.springframework.security.saml.metadata.ExtendedMetadata"> <property name="local" value="true"/> <property name="securityProfile" value="metaiop"/> <property name="sslSecurityProfile" value="pkix"/> <property name="signMetadata" value="${abiquo.saml.keys.metadata.sign:false}"/> <property name="signingKey" value="${abiquo.saml.keys.signing.alias}"/> <property name="encryptionKey" value="${abiquo.saml.keys.encryption.alias}"/> <property name="requireArtifactResolveSigned" value="false"/> <property name="requireLogoutRequestSigned" value="false"/> <property name="requireLogoutResponseSigned" value="false"/> </bean> </constructor-arg> </bean> <bean id="ipdMetadataDelegate1ipdMetadataDelegate" class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate"> <constructor-arg> <bean class="org.opensaml.saml2.metadata.provider.ResourceBackedMetadataProvider"> <constructor-arg> <bean class="java.util.Timer"/> </constructor-arg> <constructor-arg> <bean class="org.opensaml.util.resource.FilesystemResource"> <constructor-arg value="#{'${abiquo.saml.metadata.identityprovider.path-2}'.split(',')[0]}" /> </bean> </constructor-arg> <property name="parserPool" ref="parserPool"/> </bean> </constructor-arg> </bean> </beans> |