Versions Compared

Old Version 25

changes.mady.by.user MS

Saved on

compared with

New Version 26

changes.mady.by.user MS

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents

Info

This document describes how to configure the SAML integration to log in the platform with SAML SSO using SAML 2.0.
Please read all of this documentation before you start to configure your environment.

...

Include Page
Add multiple identity providers for SAML
Add multiple identity providers for SAML

Table of Abiquo configuration properties for SAML

...

Key

...

Description

...

Required

...

Role

...

Sets the authentication module to use in the Abiquo Platform.
Accepts: abiquo, saml, openid, ldap

...

Yes

...

Status
colourBlue
titleadmin

...

abiquo.login.samesite 

...

Control the value of the SameSite flag of the login cookie.
See Abiquo configuration properties#samesite

...

No
Default: strict

...

Status
colourBlue
titleadmin

...

(warning) abiquo.saml.authentication.maxage

...

New in Abiquo 6.0.0

Maximum time in seconds the system allows users to use SAML single sign-on after their initial authentication with the IDP.

...

Required to start SAML
Default: 2073600

...

Status
colourBlue
titleadmin

...

abiquo.saml.mode

...

Indicates the SAML mode to use.
Accepts:

  • single: only SAML is allowed to authenticate users

  • multiple: SAML and Basic Auth are allowed to authenticate users.

...

About enterprise and role binding

The Abiquo API can get the user’s SAML attributes, select the correct role, and assign it to the user. This is called enterprise and role binding.

Here are some examples of how Abiquo can match SAML attributes for enterprises:

  • abiquo.saml.attributes.enterprise.claims = example

    • The API will get the value of the example attribute from the SAML Response. It will try to find an Abiquo enterprise with the same name. If it can't find an enterprise, it will look for an enterprise with an enterprise property key called example that has a property value that matches the SAML Response example attribute value.

  • abiquo.saml.attributes.enterprise.claims = organization,acc_id:account

    • The API will get the value of the organization and acc_id attributes from the SAML Response. It will try to find an enterprise with a name that matches one of these values. If it can't find an enterprise, it will search the enterprise properties. It will return the enterprise that has the property organization with the value from the SAML Response and acc_id property with the value of account from the SAML Response.

...

Table of Abiquo configuration properties for SAML

Key

Description

Required

Role

abiquo.auth.module

Sets the authentication module to use in the Abiquo Platform.
Accepts: abiquo, saml, openid, ldap

Yes

Status
colourBlue
titleadmin

abiquo.login.samesite 

Control the value of the SameSite flag of the login cookie.
See Abiquo configuration properties#samesite

No
Default: strict

Status
colourBlue
titleadmin

(warning) abiquo.saml.redirectauthentication.endpoint

URI redirect for a successful Abiquo login using SAML SSO.
Accepts: any valid URI
Example: https://your.env.com/ui

Yes

maxage

New in Abiquo 6.0.0

Maximum time in seconds the system allows users to use SAML single sign-on after their initial authentication with the IDP.

Required to start SAML
Default: 2073600

Status
colourBlue
titleadmin

abiquo.saml.redirect.error.endpointURI redirect for an unsuccessful Abiquo login using SAML SSO. This has to be set to a query parameter, "?error", or a valid URI like the one from the examplemode

Indicates the SAML mode to use.
Accepts: any valid URIExample: https://your.env.com/ui/?error=ERROR_CODE
See Configure UI login errors

No
Default: 
?error

  • single: only SAML is allowed to authenticate users

  • multiple: SAML and Basic Auth are allowed to authenticate users.

No
Default: single

Status
colourBlue
titleadmin

abiquo.saml.metadataredirect.mode = providedIndicates if the SP metadata is provided or must be generated by the APIendpoint

URI redirect for a successful Abiquo login using SAML SSO.
Accepts: any valid URI

  • provided: use existing metadata defined with the following property: abiquo.saml.metadata.serviceprovider.path

  • generated: the API should generate the metadata. Requires the Abiquo Server to have an SP configuration

No
Default: generated

Example: https://your.env.com/ui

Yes

Status
colourBlue
titleadmin

abiquo.saml.metadataredirect.serviceprovidererror.path

Indicates the location of the SP metadata to load.
Accepts: Any location path of the file to read

Only if abiquo.saml.metadata.mode
is set to provided

Status
colourBlue
titleadmin

abiquo.saml.metadata.identityprovider.path

Indicates the location of the IdP metadata to load.
Accepts: Any location path of the file to read. For multiple identity providers, use a comma separated list

Yesendpoint

URI redirect for an unsuccessful Abiquo login using SAML SSO. This has to be set to a query parameter, "?error", or a valid URI like the one from the example.
Accepts: any valid URI
Example: https://your.env.com/ui/?error=ERROR_CODE
See Configure UI login errors

No
Default: 
?error

Status
colourBlue
titleadmin

abiquo.saml.metadata.generator.bindingSSOIf abiquo.saml.metadata.mode is set to generated, this property will indicate which binding must be allowed.
Accepts: A comma-separated list with the binding namesmode = provided


Indicates if the SP metadata is provided or must be generated by the API.
Accepts:

  • provided: use existing metadata defined with the following property: abiquo.saml.metadata.serviceprovider.path

  • generated: the API should generate the metadata. Requires the Abiquo Server to have an SP configuration

No
Default: POST, Artifactgenerated

Status
colourBlue
titleadmin
Status
colourYellow
titlesaml admin

abiquo.saml.keysmetadata.keystoreserviceprovider.path

Indicates the location of the Java keystore from which to extract the keys to sign and/or encrypt the SAML requestsSP metadata to load.
Accepts: Any location path of the file to read

YesOnly if abiquo.saml.metadata.mode
is set to provided

Status
colourBlue
titleadmin

abiquo.saml.keysmetadata.keystoreidentityprovider.passwordThe password to unlock the Java keystore from location indicated by abiquo.saml.keys.keystore.path property.path

Indicates the location of the IdP metadata to load.
Accepts: Any location path of the file to read. For multiple identity providers, use a comma separated list

Yes

Status
colourBlue
titleadmin

abiquo.saml.keysmetadata.signinggenerator.alias

The alias of the key to use for signing SAML Requests
Accepts: any string

Yes

Status
colourBlue
titleadmin

bindingSSO

If abiquo.saml.keys.signing.password

The password of the key to use for signing SAML Requests
Accepts: any string

Yesmetadata.mode is set to generated, this property will indicate which binding must be allowed.
Accepts: A comma-separated list with the binding names

No
Default: POST, Artifact

Status
colourBlue
titleadmin

Status
colourBlueYellow
titlesaml admin

abiquo.saml.keys.encryptionkeystore.aliasThe alias path

Indicates the location of the key to use for encryption of SAML Requests
Accepts: any stringJava keystore from which to extract the keys to sign and/or encrypt the SAML requests.
Accepts: Any location path of the file to read

Yes

Status
colourBlue
titleadmin

abiquo.saml.keys.encryptionkeystore.password

The password of the key to use for encryption of SAML Requeststo unlock the Java keystore from location indicated by abiquo.saml.keys.keystore.path property.

Yes

Status
colourBlue
titleadmin

abiquo.saml.keys.metadatasigning.signIndicates if the SAML Requests must be signed.alias

The alias of the key to use for signing SAML Requests
Accepts: a booleanany string

NoYesDefault: false

Status
colourBlue
titleadmin
Status
colourYellow
titlesaml admin

abiquo.saml.keys.signing.bindingpassword

Indicates the binding profile to allow.
Accepts: the SAML binding profile's URNThe password of the key to use for signing SAML Requests
Accepts: any string

Yes

Status
colourYellowBlue
titlesaml admin

abiquo.saml.attributeskeys.user.id.claimIndicates which SAML Response attribute must identify a unique user; if not set up, the principal will be used.encryption.alias

The alias of the key to use for encryption of SAML Requests
Accepts: any string

NoYes

Status
colourYellowBlue
titlesaml admin

abiquo.saml.attributeskeys.roleencryption.claimIndicates which SAML Response attribute must be read to find the role to assign to the user during a successful login.
Accepts: any stringpassword

The password of the key to use for encryption of SAML Requests

Yes

Status
colourYellowBlue
titlesaml admin

abiquo.saml.attributeskeys.enterprisemetadata.claimssign

Indicates which if the SAML Response attributes must be read to find the enterprise to assign to the user during a successful login. Matches an enterprise name or an enterprise property key.
Accepts: a comma-separated list of the claim attributes, with an optional enterprise property key separated by a colon.
Pattern: <saml-attr1>:<ent-prop1>,<saml-attr2>:<ent-prop2>Requests must be signed.
Accepts: a boolean

No
Default: false

Status
colourBlue
titleadmin

Status
colourYellow
titlesaml admin

abiquo.saml.binding

Indicates the binding profile to allow.
Accepts: the SAML binding profile's URN

Yes

Status
colourYellow
titlesaml admin

abiquo.saml.attributes.user.firstnameid.claim

Indicates which SAML Response attribute must be read to find the user nameidentify a unique user; if not set up, the principal will be used.
Accepts: any string

NoDefault: FirstName

Status
colourYellow
titlesaml admin

abiquo.saml.attributes.user.lastnamerole.claim

Indicates which SAML Response attribute must be read to find the user last namerole to assign to the user during a successful login.
Accepts: any string

No
Default: LastNameYes

Status
colourYellow
titlesaml admin

abiquo.saml.attributes.userenterprise.email.claimclaims

Indicates which attribute SAML Response attributes must be read in order to find the user emailenterprise to assign to the user during a successful login. Matches an enterprise name or an enterprise property key.
Accepts: any stringNo
Default: EmailAddressa comma-separated list of the claim attributes, with an optional enterprise property key separated by a colon.
Pattern: <saml-attr1>:<ent-prop1>,<saml-attr2>:<ent-prop2>

Yes

Status
colourYellow
titlesaml admin

abiquo.saml.loginattributes.allowuser.enterprisefirstname.poolAllow the use of multiple enterprises with the same enterprise claim property as a pool. Will assign the user to the first enterprise match. Only valid for SAML mode, not for SAML + user (multiple IDPs)claim

Indicates which attribute must be read to find the user name.
Accepts: booleanany string

No
Default: false FirstName

Status
colourYellow
titlesaml admin

abiquo.saml.metadataattributes.identityprovideruser.defaultlastname.id

Sets the default SAML IdP
Accepts: The entityID attribute of the default IdP from its metadata

Yesclaim

Indicates which attribute must be read to find the user last name.
Accepts: any string

No
Default: LastName

Status
colourBlueYellow
titleabiquo saml admin

abiquo.saml.metadataattributes.identityprovideruser.userdomainemail.map

For multiple IdPs, map the user domains to the IdPs
Accepts: Comma separated list of email address domains and IdPs

Yes, for multiple IdPsclaim

Indicates which attribute must be read in order to find the user email.
Accepts: any string

No
Default: EmailAddress

Status
colourBlueYellow
titleabiquo admin

Table of UI properties for SAML

For SAML, you can configure the following UI configuration properties in client-config-custom.json. See Configure Abiquo UI for more details. 

...

Property

...

Description

...

client.login.modules

...

Configure Abiquo modules to log in with Basic Auth (default), Open ID, SAML, or SAML + user.

  • For the initial SAML configuration, use SAML

  • When you add multiple IdPs, use SAML + user

You can copy the options from client-config-default.json

...

client.skip.login.view

...

By default, when in OpenID or SAML mode, Abiquo displays an initial screen with a link to the Authentication portal.
If this property is set to true, then Abiquo will not display the initial screen and will redirect users directly to the Authentication portal.

About enterprise and role binding

The Abiquo API can get the user’s SAML attributes, select the correct role, and assign it to the user. This is called enterprise and role binding.

Here are some examples of how Abiquo can match SAML attributes for enterprises:

...

abiquo.saml.attributes.enterprise.claims = example

  • The API will get the value of the example attribute from the SAML Response. It will try to find an Abiquo enterprise with the same name. If it can't find an enterprise, it will look for an enterprise with an enterprise property key called example that has a property value that matches the SAML Response example attribute value.

abiquo.saml.attributes.enterprise.claims = organization,acc_id:account

...

saml admin

abiquo.saml.login.allow.enterprise.pool

Allow the use of multiple enterprises with the same enterprise claim property as a pool. Will assign the user to the first enterprise match. Only valid for SAML mode, not for SAML + user (multiple IDPs).
Accepts: boolean

No
Default: false

Status
colourYellow
titlesaml admin

abiquo.saml.metadata.identityprovider.default.id

Sets the default SAML IdP
Accepts: The entityID attribute of the default IdP from its metadata

Yes

Status
colourBlue
titleabiquo admin

abiquo.saml.metadata.identityprovider.userdomain.map

For multiple IdPs, map the user domains to the IdPs
Accepts: Comma separated list of email address domains and IdPs

Yes, for multiple IdPs

Status
colourBlue
titleabiquo admin

...

Table of UI properties for SAML

For SAML, you can configure the following UI configuration properties in client-config-custom.json. See Configure Abiquo UI for more details. 

Property

Description

client.login.modules

Configure Abiquo modules to log in with Basic Auth (default), Open ID, SAML, or SAML + user.

  • For the initial SAML configuration, use SAML

  • When you add multiple IdPs, use SAML + user

You can copy the options from client-config-default.json

client.skip.login.view

By default, when in OpenID or SAML mode, Abiquo displays an initial screen with a link to the Authentication portal.
If this property is set to true, then Abiquo will not display the initial screen and will redirect users directly to the Authentication portal.