Abiquo provides an integration to log in the platform with SAML SSO using SAML 2.0. Please read ALL of this documentation before starting to configure your environment.
| Table of Contents |
|---|
...
| start-numbering-at | h2 |
|---|
Configure enterprise and role binding
The first time a SAML SSO login is successful, the Abiquo API will need to create a user in the platform. This user requires an enterprise and a role, so do these steps to configure enterprise and role binding.
In Abiquo create enterprises with Names or enterprise propertyKeys that will match the values of SAML attributes.
On the Abiquo Server, set the
abiquo.saml.attributes.enterprise.claimsproperty to specify the SAML attributes to match. Abiquo will get the values of these attributes and search for an enterprise name or enterprise property with this key to match the SAML values.In Abiquo create roles and set the External roles value to match the value of one or more SAML attributes. One Abiquo role can match multiple external roles, but each external role should only match one Abiquo role.
On the Abiquo Server, set the
abiquo.saml.attributes.role.claimproperty to specify the SAML attribute to match the roles
Matching examples
abiquo.saml.attributes.enterprise.claims = examplethe API will get the value of the attribute
...
example
...
from the SAML Response. It will try to find an Abiquo enterprise with the same name. If it can't find an enterprise, it will look for an enterprise with a property key called "example" that has a property value that matches the SAML Response value.
abiquo.saml.attributes.enterprise.claims = organization,acc_id:accountthe API will get the value of the attributes
organizationandacc_id. It will try to find an enterprise with a name that matches one of these values. If it can't find an enterprise, it will search by properties, and return the enterprise that has the property organization with the value from the SAML Response and the property account with the value from the SAML Response.
...
Enable SAML authentication mode
Abiquo integrates different authentication options and the default authentication mode is
...
abiquo
...
, which is basic authentication for users stored in the Abiquo database.
To enable SAML in Abiquo:
On the Abiquo Server, set the
abiquo.auth.moduleproperty to a value of
...
saml
...
.
Before you start the Abiquo API again, complete the configuration in the follow sections to ensure that Abiquo API will start successfully.
...
Configure login modules in the UI
To enable users to log in with SAML, set the following UI configuration properties in client-config-custom.json. See Configure Abiquo UI for more details.
Property | Description |
|---|---|
client.login.modules | Configure Abiquo modules to log in with Basic Auth (default), Open ID, SAML, or SAML + user. |
client.skip.login.view | By default, when in OpenID or SAML mode, Abiquo shows an initial screen with a link to the Authentication portal. |
...
Configure SameSite flag of login cookie
Optionally, on the Abiquo Server set the abiquo.login.samesite property to control the value of the SameSite flag of the login cookie. See Abiquo configuration properties#samesite
...
Configure the maximum authentication age
On the Abiquo server set the abiquo.saml.authentication.maxage property to control the maximum time in seconds that users can use SAML single sign-on after their initial authentication with the IDP. The default value is 2073600 seconds, which is 24 days.
...
Configure SAML identity provider
To enable Abiquo to identify and trust the SAML SSO Server (aka Identity Provider or IdP):
Get the IdP metadata and save it on the Abiquo Server
On the Abiquo Server, set the following property pointing to this file:
abiquo.saml.metadata.identityprovider.path=/opt/abiquo/config/saml/identityprovider_metadata.xmlOn the Abiquo Server, you must set the default IdP with the following property:
abiquo.saml.metadata.identityprovider.default.id
If you do not add this property, the Abiquo API will not start
...
Configure the Abiquo API as a SAML service provider
To configure Abiquo to act as a SAML Service Provider (SP) that can sign and encrypt SAML requests:
Create a dedicated keystore with the keys that Abiquo will need for signing and encrypting.
Configure the details of the keystore in Abiquo with the following properties:
abiquo.saml.keys.keystore.path=/op/abiquo/config/saml/saml_keystore.jksabiquo.saml.keys.keystore.password=the_keystore_passwordabiquo.saml.keys.metadata.sign=trueabiquo.saml.keys.signing.alias=alias_for_signing_keyabiquo.saml.keys.signing.password=password_for_signing_keyabiquo.saml.keys.encryption.alias=alias_for_encryption_keyabiquo.saml.keys.encryption.password=password_for_encryption_key
To configure the type of binding that the API will offer for the IdP, set the following property:
abiquo.saml.binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
We recommend that you use the same binding type as the IdP.
To configure the browser redirect to the Abiquo environment after a successful login, set the following property:
abiquo.saml.redirect.endpoint=https://<your-environment>/ui
...
Optionally, generate the service provider metadata
If you do not have an SP metadata XML file, you can generate one using the Abiquo API.
Configure the SP properties as described in the above steps.
On the Abiquo Server, set the following properties with these values
abiquo.saml.metadata.mode=generatedabiquo.saml.metadata.serviceprovider.path=# can be left empty because it is not usedabiquo.saml.mode=multi
Start the Abiquo API
Log in as an administrator user (with
...
the
PHYS_DC_MANAGEprivilege)Perform an authenticated request to the path
/api/saml/metadataSave the metadata response in a file
| Tip |
|---|
The API SAML metadata path is always enabled but it returns "
or "
metadata, depending on the value of the This path is protected, so the property |
After you obtain the SP metadata, do these steps:
Add the metadata XML file to the IdP
Provide the SP metadata to the Abiquo API as described below
We also recommend that you do these additional steps
Disable basic authentication. To do this, set the
abiquo.saml.modeproperty tosingle(or just delete it becausesingleis the default value).Configure the API to use the
...
provided
...
metadata file and stop the API from generating metadata each time you restart it. To do this, set the
abiquo.saml.metadata.
...
mode propertyto
...
provided
...
...
Provide the SP metadata to the service provider and the identity provider
The Abiquo API (SP) and the SAML IdP require the SP metadata XML file. To configure the SP metadata XML file for the Abiquo API:
Save the SP metadata XML file on the Abiquo Server
Add the following properties:
abiquo.saml.metadata.serviceprovider.path=/opt/abiquo/config/saml/serviceprovider_metadata.xmlabiquo.saml.metadata.mode=provided
Your environment is now ready to use SAML SSO, just start the API and open the user interface in the browser.
...
Optionally configure custom login error messages for SAML
By default, when there is a login error, the UI displays a generic error view and the user can return to the main login screen.
To display custom error messages, configure the redirect to add an error parameter.
On the Abiquo API Server, set the abiquo.saml.redirect.error.endpoint to point to your UI server and add an error code as follows:
| Code Block |
|---|
abiquo.saml.redirect.error.endpoint = https://your.env.com/ui/?error=ERROR_CODE |
Then for each error code, create a UI label with the error message text. For example, for US English, in lang_en_US_custom.json, you could create a label as follows:
| Code Block |
|---|
"login.error.SAMLERROR2": "Login failed!", |
...
Optionally configure a SAML enterprise pool
If you will only be using a single identity provider, you can enable users to log in to an enterprise pool of enterprises with the same enterprise claim value.
The login process will select the first matching enterprise from the pool.
To configure this option, set the following property.
| Code Block |
|---|
abiquo.saml.login.allow.enterprise.pool = true |
...
Add multiple identity providers for SAML
| Include Page | ||||
|---|---|---|---|---|
|
Table of Abiquo configuration properties for SAML
Key | Description | Required | Role | |||||
|---|---|---|---|---|---|---|---|---|
abiquo.auth.module | Sets the authentication module to use in the Abiquo Platform. | Yes |
|
| ||||||||
| New in Abiquo 6.0.0 Maximum time in seconds the system allows users to use SAML single sign-on after their initial authentication with the IDP. | Required to start SAML |
|
| ||||||||
abiquo.saml.mode | Indicates the SAML mode to use.
| No |
|
| ||||||||
abiquo.saml.redirect.endpoint | URI redirect for a successful Abiquo login using SAML SSO. | Yes |
|
| ||||||||
abiquo.saml.redirect.error.endpoint | URI redirect for an unsuccessful Abiquo login using SAML SSO. This has to be set to a queryparameter "?error" or a valid URI like the one from the example. | No |
|
| ||||||||
abiquo.saml.metadata.mode = provided | Indicates if the SP metadata is provided or must be generated by the API.
| No |
|
| ||||||||
abiquo.saml.metadata.serviceprovider.path | Indicates the location of the SP metadata to load. | Only if abiquo.saml.metadata.mode |
|
| ||||||||
abiquo.saml.metadata.identityprovider.path | Indicates the location of the IdP metadata to load. | Yes |
|
| ||||||||
abiquo.saml.metadata.generator.bindingSSO | If abiquo.saml.metadata.mode is set to generated, this property will indicate which binding must be allowed. | No |
|
| ||||||||
abiquo.saml.keys.keystore.path | Indicates the location of the Java keystore from which to extract the keys to sign and/or encrypt the SAML requests. | Yes |
|
| ||||||||
abiquo.saml.keys.keystore.password | The password to unlock the Java keystore from location indicated by abiquo.saml.keys.keystore.path property. | Yes |
|
| ||||||||
abiquo.saml.keys.signing.alias | The alias of the key to use for signing SAML Requests | Yes |
|
| ||||||||
abiquo.saml.keys.signing.password | The password of the key to use for signing SAML Requests | Yes |
|
| ||||||||
abiquo.saml.keys.encryption.alias | The alias of the key to use for encryption of SAML Requests | Yes |
|
| ||||||||
abiquo.saml.keys.encryption.password | The password of the key to use for encryption of SAML Requests | Yes |
|
| ||||||||
abiquo.saml.keys.metadata.sign | Indicates if the SAML Requests must be signed. | No |
|
| |||||||||
abiquo.saml.binding | Indicates the binding profile to allow. | Yes |
| ||||||
Indicates which SAML Response attribute must identify a unique user; if not set up, the principal will be used. | No |
| |||||||
abiquo.saml.attributes.role.claim | Indicates which SAML Response attribute must be read to find the role to assign to the user during a successful login. | Yes |
| ||||||
abiquo.saml.attributes.enterprise.claims | Indicates which SAML Response attributes must be read to find the enterprise to assign to the user during a successful login. Matches an enterprise name or an enterprise property key. | Yes |
| ||||||
abiquo.saml.attributes.user.firstname.claim | Indicates which attribute must be read to find the user name. | No |
| ||||||
abiquo.saml.attributes.user.lastname.claim | Indicates which attribute must be read to find the user last name. | No |
| ||||||
abiquo.saml.attributes.user.email.claim | Indicates which attribute must be read in order to find the user email. | No |
| ||||||
abiquo.saml.login.allow.enterprise.pool | Allow the use of multiple enterprises with the same enterprise claim property as a pool. Will assign the user to the first enterprise match. Only valid for "SAML" mode, not for "SAML + user" (multiple IDPs). | No |
| ||||||
abiquo.saml.metadata.identityprovider.default.id | Sets the default SAML IdP | Yes |
| ||||||
abiquo.saml.metadata.identityprovider.userdomain.map | For multiple IdPs, map the user domains to the IdPs | Yes, for multiple IdPs |
|