...
Numberedheadings | ||||||
---|---|---|---|---|---|---|
| ||||||
Configure enterprise and role bindingThe first time a SAML SSO login is successful, the Abiquo API will need to create a user in the platform. This user requires an enterprise and a role, so do these steps to configure enterprise and role binding.
Matching examples
Enable SAML authentication modeAbiquo integrates different authentication options and the default authentication mode is "abiquo", which is basic authentication for users stored in the Abiquo database. To enable SAML in Abiquo:
Configure login modules in the UITo enable users to log in with SAML, set the following UI configuration properties in client-config-custom.json. See
Configure SameSite flag of login cookieOptionally, on the Abiquo Server set the abiquo.login.samesite property to control the value of the SameSite flag of the login cookie. See Configure the maximum authentication ageOn the Abiquo server set the abiquo.saml.authentication.maxage property to control the maximum time in seconds that users can use SAML single sign-on after their initial authentication with the IDP. The default value is 2073600 seconds, which is 24 days. Configure SAML identity providerTo enable Abiquo to identify and trust the SAML SSO Server (aka Identity Provider or IdP):
Configure the Abiquo API as a SAML service providerTo configure Abiquo to act as a SAML Service Provider (SP) that can sign and encrypt SAML requests:
Optionally generate the service provider metadataIf you do not have an SP metadata XML file, you can generate one using the Abiquo API.
The API SAML metadata path is always enabled but it returns "provided" or "generated" metadata, depending on the value of the metadata.mode property. This path is protected, so the property abiquo.saml.mode=multi allows the API to enable basic authentication and SAML SSO authentication. After you obtain the SP metadata, do these steps:
We also recommend that you do these additional steps
Provide the SP metadata to the service provider and the identity providerThe Abiquo API (SP) and the SAML IdP require the SP metadata XML file. To configure the SP metadata XML file for the Abiquo API:
Your environment is now ready to use SAML SSO, just start the API and open the user interface in the browser. Optionally configure custom login error messages for SAMLBy default, when there is a login error, the UI displays a generic error view and the user can return to the main login screen. To display custom error messages, configure the redirect to add an error parameter. On the Abiquo API Server, set the abiquo.saml.redirect.error.endpoint to point to your UI server and add an error code as follows: Then for each error code, create a UI label with the error message text. For example, for US English, in lang_en_US_custom.json, you could create a label as follows: Optionally configure a SAML enterprise poolIf you will only be using a single identity provider, you can enable users to log in to an enterprise pool of enterprises with the same enterprise claim value. The login process will select the first matching enterprise from the pool. To configure this option, set the following property. Optionally add Add multiple identity providers for SAML |
...
Key | Description | Required | Role | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
abiquo.auth.module | Sets the authentication module to use in the Abiquo Platform. | Yes |
| ||||||||||||
abiquo.saml.authentication.maxage | New in Abiquo 6.0.0 Maximum time in seconds the system allows users to use SAML single sign-on after their initial authentication with the IDP. | Required to start SAML |
| ||||||||||||
abiquo.saml.mode | Indicates the SAML mode to use.
| No |
| ||||||||||||
abiquo.saml.redirect.endpoint | URI redirect for a successful Abiquo login using SAML SSO. | Yes |
| ||||||||||||
abiquo.saml.redirect.error.endpoint | URI redirect for an unsuccessful Abiquo login using SAML SSO. This has to be set to a queryparameter "?error" or a valid URI like the one from the example. | No |
| ||||||||||||
abiquo.saml.metadata.mode = provided | Indicates if the SP metadata is provided or must be generated by the API.
| No |
| ||||||||||||
abiquo.saml.metadata.serviceprovider.path | Indicates the location of the SP metadata to load. | Only if abiquo.saml.metadata.mode |
| ||||||||||||
abiquo.saml.metadata.identityprovider.path | Indicates the location of the IdP metadata to load. | Yes |
| ||||||||||||
abiquo.saml.metadata.generator.bindingSSO | If abiquo.saml.metadata.mode is set to generated, this property will indicate which binding must be allowed. | No |
| ||||||||||||
abiquo.saml.keys.keystore.path | Indicates the location of the Java keystore from which to extract the keys to sign and/or encrypt the SAML requests. | Yes |
| ||||||||||||
abiquo.saml.keys.keystore.password | The password to unlock the Java keystore from location indicated by abiquo.saml.keys.keystore.path property. | Yes |
| ||||||||||||
abiquo.saml.keys.signing.alias | The alias of the key to use for signing SAML Requests | Yes |
| ||||||||||||
abiquo.saml.keys.signing.password | The password of the key to use for signing SAML Requests | Yes |
| ||||||||||||
abiquo.saml.keys.encryption.alias | The alias of the key to use for encryption of SAML Requests | Yes |
| ||||||||||||
abiquo.saml.keys.encryption.password | The password of the key to use for encryption of SAML Requests | Yes |
| ||||||||||||
abiquo.saml.keys.metadata.sign | Indicates if the SAML Requests must be signed. | No |
| ||||||||||||
abiquo.saml.binding | Indicates the binding profile to allow. | Yes |
| ||||||||||||
Indicates which SAML Response attribute must identify a unique user; if not set up, the principal will be used. | No |
| |||||||||||||
abiquo.saml.attributes.role.claim | Indicates which SAML Response attribute must be read to find the role to assign to the user during a successful login. | Yes |
| ||||||||||||
abiquo.saml.attributes.enterprise.claims | Indicates which SAML Response attributes must be read to find the enterprise to assign to the user during a successful login. Matches an enterprise name or an enterprise property key. | Yes |
| ||||||||||||
abiquo.saml.attributes.user.firstname.claim | Indicates which attribute must be read to find the user name. | No |
| ||||||||||||
abiquo.saml.attributes.user.lastname.claim | Indicates which attribute must be read to find the user last name. | No |
| ||||||||||||
abiquo.saml.attributes.user.email.claim | Indicates which attribute must be read in order to find the user email. | No |
| ||||||||||||
abiquo.saml.login.allow.enterprise.pool | Allow the use of multiple enterprises with the same enterprise claim property as a pool. Will assign the user to the first enterprise match. Only valid for "SAML" mode, not for "SAML + user" (multiple IDPs). | No |
| ||||||||||||
abiquo.saml.metadata.identityprovider.default.id | Sets the default SAML IdP | Yes |
| ||||||||||||
abiquo.saml.metadata.identityprovider.userdomain.map | For multiple IdPs, map the user domains to the IdPs | Yes, for multiple IdPs |
|
...