Versions Compared

Old Version 20

changes.mady.by.user MS

Saved on

compared with

New Version 21

changes.mady.by.user MS

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Abiquo provides an integration to log in the platform with SAML SSO using SAML 2.0.

Please read ALL of this documentation before starting you start to configure your environment.

Table of Contents

Configure enterprise and role binding

The first time a SAML SSO login is successful, the Abiquo API will need to create a user in the platform. This user requires an enterprise and a role, so do these steps to configure enterprise and role binding.

  1. In Abiquo create enterprises with create enterprises with Names or enterprise propertyKeys that will match the values of SAML attributes.

  2. On the Abiquo Server, set the abiquo.saml.attributes.enterprise.claims property to specify the SAML attributes to match. Abiquo will get the values of these attributes and search for an enterprise name or enterprise property with this key to match the SAML values.

  3. In Abiquo create roles and set the External roles value to match the value of one or more SAML attributes. One Abiquo role can match multiple external roles, but each external role should only match one Abiquo role.

  4. On the Abiquo Server, set the abiquo.saml.attributes.role.claim property to specify the SAML attribute to match the roles

...

  1. Create a dedicated keystore with the keys that Abiquo will need for signing and encrypting.

  2. Configure the details of the keystore in Abiquo with the following properties:

    1. abiquo.saml.keys.keystore.path=/op/abiquo/config/saml/saml_keystore.jks

    2. abiquo.saml.keys.keystore.password=the_keystore_password

    3. abiquo.saml.keys.metadata.sign=true

    4. abiquo.saml.keys.signing.alias=alias_for_signing_key

    5. abiquo.saml.keys.signing.password=password_for_signing_key

    6. abiquo.saml.keys.encryption.alias=alias_for_encryption_key

    7. abiquo.saml.keys.encryption.password=password_for_encryption_key

  3. To configure the type of binding that the API will offer for the IdP, set the following property:

    1. abiquo.saml.binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect

    We recommend that you use the same binding type as the IdP.

  4. To configure the browser redirect to the Abiquo environment after a successful login, set the following property: 

    1. abiquo.saml.redirect.endpoint=https://<your-environment>/ui

...

...

Generate the service provider metadata

If you do not have an SP metadata XML file, you can generate one using the Abiquo API.

...

Your environment is now ready to use SAML SSO, just start the API and open the user interface in the browser.

...

...

Configure custom login error messages for SAML

By default, when there is a login error, the UI displays a generic error view and the user can return to the main login screen.

To Optionally, to display custom error messages, configure the redirect to add an error parameter.

...

Code Block
  "login.error.SAMLERROR2": "Login failed!",

...

...

Configure a SAML enterprise pool

If Optionally, if you will only be using a single identity provider, you can enable users to log in to an enterprise pool of enterprises with the same enterprise claim value.

...