Abiquo provides an
| Table of Contents |
|---|
| Info |
|---|
This document describes how to configure the SAML integration to log in the platform with SAML SSO using SAML 2.0. |
all of this documentation before you start to configure your environment. |
...
Configure enterprise and role binding
The first time a user logs in with SAML SSO login is successful, the Abiquo API will need to create a user create the user’s account in the platform. This user requires an Before the user can log in, the administrator must create an Abiquo enterprise and a role, so do these steps to configure enterprise and role for the user and define their SAML attributes. Then the API can get the user’s SAML attributes, select the correct role, and assign it to the user. This is called enterprise and role binding.
...
In Abiquo create enterprises with Names or enterprise property Keys that will match the values of SAML attributes.
...
Here are some examples of how Abiquo can match SAML attributes for enterprises:
abiquo.saml.attributes.enterprise.claims
...
In Abiquo create roles and set the External roles value to match the value of one or more SAML attributes. One Abiquo role can match multiple external roles, but each external role should only match one Abiquo role.
...
On the Abiquo Server, set the abiquo.saml.attributes.role.claim property to specify the SAML attribute to match the roles
Matching examples
the API will get the value of the attributeabiquo.saml.attributes.enterprise.claims = exampleexample= exampleThe API will get the value of the
exampleattribute from the SAML Response. It will try to find an Abiquo enterprise with the same name. If it can't find an enterprise, it will look for an enterprise with an enterprise property key calledexamplethat has a property value that matches the SAML Responseexampleattribute value.
abiquo.saml.attributes.enterprise.claims = organization,acc_id:accountThe API will get the value of the
organizationandacc_idattributes from the SAML Response. It will try to find an Abiquo enterprise with the same namea name that matches one of these values. If it can't find an enterprise, it will look for an enterprise with a property key called "example" that has a property value that matches the SAML Response value.search the enterprise properties. It will return the enterprise that has the propertyorganizationwith the value from the SAML Response andacc_idproperty with the value ofaccountfrom the SAML Response.
To configure the enterprise and role binding do these steps:
In Abiquo create enterprises for your users and assign Names or enterprise property Keys that will match the values of SAML attributes.
On the Abiquo Server, set the
abiquo.saml.attributes.enterprise.claims
...
property to specify the SAML attributes to match. Abiquo will get the values of these attributes and search for an enterprise name or enterprise property with this key to match the SAML values.
In Abiquo create roles and set the External roles value to match the value of one or more SAML attributes. One Abiquo role can match multiple external roles, but each external role should only match one Abiquo role.
On the Abiquo Server, set the
abiquo.saml.attributes.role.claimproperty to specify the SAML attribute to match the roles
...
Enable SAML authentication mode
...
To enable Abiquo to identify and trust the SAML SSO Server (aka Identity Provider or , which is the identity provider (IdP):
Get the IdP metadata and save it on the Abiquo Server
On the Abiquo Server, set the following property pointing to this file:
abiquo.saml.metadata.identityprovider.path=/opt/abiquo/config/saml/identityprovider_metadata.xmlOn the Abiquo Server, you must set the default IdP with the following property:
abiquo.saml.metadata.identityprovider.default.id
If you do not add this property, the Abiquo API will not start
...
To configure Abiquo to act as a SAML Service Provider service provider (SP) that can sign and encrypt SAML requests:
...
Generate the service provider metadata
If you do not have an a service provider (SP) metadata XML file, you can generate one using the Abiquo API.
Configure the SP properties as described in the above steps.
On the Abiquo Server, set the following properties with these values
abiquo.saml.metadata.mode=generatedabiquo.saml.metadata.serviceprovider.path=# can be left empty because it is not usedabiquo.saml.mode=multi
Start the Abiquo API
Log in as an administrator user (with the
PHYS_DC_MANAGEtheManage datacenterprivilege)Perform an authenticated request to the path
/api/saml/metadataSave the metadata response in a file
...
| Code Block |
|---|
"login.error.SAMLERROR2": "Login failed!", |
For details of more customizations, see Customize UI login errors.
...
Configure a SAML enterprise pool
...
Table of Abiquo configuration properties for SAML
Key | Description | Required | Role | ||||||
|---|---|---|---|---|---|---|---|---|---|
abiquo.auth.module | Sets the authentication module to use in the Abiquo Platform. | Yes |
| ||||||
| New in Abiquo 6.0.0 Maximum time in seconds the system allows users to use SAML single sign-on after their initial authentication with the IDP. | Required to start SAML |
| ||||||
abiquo.saml.mode | Indicates the SAML mode to use.
| No |
| ||||||
abiquo.saml.redirect.endpoint | URI redirect for a successful Abiquo login using SAML SSO. |
h | Yes |
| ||||||
abiquo.saml.redirect.error.endpoint | URI redirect for an unsuccessful Abiquo login using SAML SSO. This has to be set to a |
query parameter, " | No |
| |||||||||||||
abiquo.saml.metadata.mode = provided | Indicates if the SP metadata is provided or must be generated by the API.
| No |
| ||||||||||||
abiquo.saml.metadata.serviceprovider.path | Indicates the location of the SP metadata to load. | Only if |
| ||||||||||||
abiquo.saml.metadata.identityprovider.path | Indicates the location of the IdP metadata to load. | Yes |
| ||||||||||||
abiquo.saml.metadata.generator.bindingSSO | If | No |
| ||||||||||||
abiquo.saml.keys.keystore.path | Indicates the location of the Java keystore from which to extract the keys to sign and/or encrypt the SAML requests. | Yes |
| ||||||||||||
abiquo.saml.keys.keystore.password | The password to unlock the Java keystore from location indicated by | Yes |
| ||||||||||||
abiquo.saml.keys.signing.alias | The alias of the key to use for signing SAML Requests | Yes |
| ||||||||||||
abiquo.saml.keys.signing.password | The password of the key to use for signing SAML Requests | Yes |
| ||||||||||||
abiquo.saml.keys.encryption.alias | The alias of the key to use for encryption of SAML Requests | Yes |
| ||||||||||||
abiquo.saml.keys.encryption.password | The password of the key to use for encryption of SAML Requests | Yes |
| ||||||||||||
abiquo.saml.keys.metadata.sign | Indicates if the SAML Requests must be signed. | No |
| ||||||||||||
abiquo.saml.binding | Indicates the binding profile to allow. | Yes |
| ||||||||||||
Indicates which SAML Response attribute must identify a unique user; if not set up, the principal will be used. | No |
| |||||||||||||
abiquo.saml.attributes.role.claim | Indicates which SAML Response attribute must be read to find the role to assign to the user during a successful login. | Yes |
| ||||||||||||
abiquo.saml.attributes.enterprise.claims | Indicates which SAML Response attributes must be read to find the enterprise to assign to the user during a successful login. Matches an enterprise name or an enterprise property key. | Yes |
| ||||||||||||
abiquo.saml.attributes.user.firstname.claim | Indicates which attribute must be read to find the user name. | No |
| ||||||||||||
abiquo.saml.attributes.user.lastname.claim | Indicates which attribute must be read to find the user last name. | No |
| ||||||||||||
abiquo.saml.attributes.user.email.claim | Indicates which attribute must be read in order to find the user email. | No |
| ||||||||||||
abiquo.saml.login.allow.enterprise.pool | Allow the use of multiple enterprises with the same enterprise claim property as a pool. Will assign the user to the first enterprise match. Only valid for |
|
mode, not for |
|
(multiple IDPs). | No |
| |||||||
abiquo.saml.metadata.identityprovider.default.id | Sets the default SAML IdP | Yes |
| ||||||
abiquo.saml.metadata.identityprovider.userdomain.map | For multiple IdPs, map the user domains to the IdPs | Yes, for multiple IdPs |
|