Versions Compared

Old Version 23

changes.mady.by.user MS

Saved on

compared with

New Version 24

changes.mady.by.user MS

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Info

This document describes how to configure the SAML integration to log in the platform with SAML SSO using SAML 2.0.
Please read all of this documentation before you start to configure your environment.

...

...

Configure

...

The first time a user logs in with SAML SSO, the Abiquo API will create the user’s account in the platform. Before the user can log in, the administrator must create an Abiquo enterprise and role for the user and define their SAML attributes. Then the API can get the user’s SAML attributes, select the correct role, and assign it to the user. This is called enterprise and role binding.

Here are some examples of how Abiquo can match SAML attributes for enterprises:

  • abiquo.saml.attributes.enterprise.claims = example

    • The API will get the value of the example attribute from the SAML Response. It will try to find an Abiquo enterprise with the same name. If it can't find an enterprise, it will look for an enterprise with an enterprise property key called example that has a property value that matches the SAML Response example attribute value.

  • abiquo.saml.attributes.enterprise.claims = organization,acc_id:account

    • The API will get the value of the organization and acc_id attributes from the SAML Response. It will try to find an enterprise with a name that matches one of these values. If it can't find an enterprise, it will search the enterprise properties. It will return the enterprise that has the property organization with the value from the SAML Response and acc_id property with the value of account from the SAML Response.

To configure the enterprise and role binding do these steps:

  1. In Abiquo create enterprises for your users and assign Names or enterprise property Keys that will match the values of SAML attributes.

  2. On the Abiquo Server, set the abiquo.saml.attributes.enterprise.claims property to specify the SAML attributes to match. Abiquo will get the values of these attributes and search for an enterprise name or enterprise property with this key to match the SAML values.

  3. In Abiquo create roles and set the External roles value to match the value of one or more SAML attributes. One Abiquo role can match multiple external roles, but each external role should only match one Abiquo role.

  4. On the Abiquo Server, set the abiquo.saml.attributes.role.claim property to specify the SAML attribute to match the roles

Enable SAML authentication mode

Abiquo integrates different authentication options and the default authentication mode is abiquo, which is basic authentication for users stored in the Abiquo database.

To enable SAML in Abiquo:

  1. On the Abiquo Server, set the abiquo.auth.module property to a value of saml.

  2. Before you start the Abiquo API again, complete the configuration in the follow sections to ensure that Abiquo API will start successfully.

Configure login modules in the UI

To enable users to log in with SAML, set the following UI configuration properties in client-config-custom.json. See Configure Abiquo UI for more details. 

...

Property

...

Description

...

client.login.modules

...

Configure Abiquo modules to log in with Basic Auth (default), Open ID, SAML, or SAML + user.
For the initial SAML configuration, use SAML. When you add multiple IdPs, use SAML + user.
See client-config-default.json for details.

...

client.skip.login.view

...

By default, when in OpenID or SAML mode, Abiquo shows an initial screen with a link to the Authentication portal.
If this property is set to true, then Abiquo will not display the initial screen and will redirect users directly to the Authentication portal.

Configure SameSite flag of login cookie

Optionally, on the Abiquo Server set the abiquo.login.samesite property to control the value of the SameSite flag of the login cookie. See Abiquo configuration properties#samesite

Configure the maximum authentication age

On the Abiquo server set the abiquo.saml.authentication.maxage property to control the maximum time in seconds that users can use SAML single sign-on after their initial authentication with the IDP. The default value is 2073600 seconds, which is 24 days.

Configure SAML identity provider

To enable Abiquo to identify and trust the SAML SSO Server, which is the identity provider (IdP):

...

Get the IdP metadata and save it on the Abiquo Server

...

On the Abiquo Server, set the following property pointing to this file:
abiquo.saml.metadata.identityprovider.path=/opt/abiquo/config/saml/identityprovider_metadata.xml

...

Configure the Abiquo API as a SAML service provider

To configure Abiquo to act as a SAML service provider (SP) that can sign and encrypt SAML requests:

  1. Create a dedicated keystore with the keys that Abiquo will need for signing and encrypting.

  2. Configure the details of the keystore in Abiquo with the following properties:

    1. abiquo.saml.keys.keystore.path=/op/abiquo/config/saml/saml_keystore.jks

    2. abiquo.saml.keys.keystore.password=the_keystore_password

    3. abiquo.saml.keys.metadata.sign=true

    4. abiquo.saml.keys.signing.alias=alias_for_signing_key

    5. abiquo.saml.keys.signing.password=password_for_signing_key

    6. abiquo.saml.keys.encryption.alias=alias_for_encryption_key

    7. abiquo.saml.keys.encryption.password=password_for_encryption_key

  3. To configure the type of binding that the API will offer for the IdP, set the following property:

    1. abiquo.saml.binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect

    We recommend that you use the same binding type as the IdP.

  4. To configure the browser redirect to the Abiquo environment after a successful login, set the following property: 

    1. abiquo.saml.redirect.endpoint=https://<your-environment>/ui

Generate the service provider metadata

If you do not have a service provider (SP) metadata XML file, you can generate one using the Abiquo API.

  1. Configure the SP properties as described in the above steps.

  2. On the Abiquo Server, set the following properties with these values

    1. abiquo.saml.metadata.mode=generated

    2. abiquo.saml.metadata.serviceprovider.path= # can be left empty because it is not used

    3. abiquo.saml.mode=multi

  3. Start the Abiquo API

  4. Log in as an administrator user (with the Manage datacenter privilege) 

  5. Perform an authenticated request to the path /api/saml/metadata

  6. Save the metadata response in a file

Tip

The API SAML metadata path is always enabled but it returns provided or generated metadata, depending on the value of the metadata.mode property.

This path is protected, so the property abiquo.saml.mode=multi allows the API to enable basic authentication and SAML SSO authentication.
This means that even if the SAML authentication is not already finished, you'll be able to perform the request with basic auth.

After you obtain the SP metadata, do these steps:

  1. Add the metadata XML file to the IdP

  2. Provide the SP metadata to the Abiquo API as described below

We also recommend that you do these additional steps

  1. Disable basic authentication. To do this, set the abiquo.saml.mode property to single (or just delete it because single is the default value).

  2. Configure the API to use the provided metadata file and stop the API from generating metadata each time you restart it. To do this, set the abiquo.saml.metadata.mode property to provided

Provide the SP metadata to the service provider and the identity provider

The Abiquo API (SP) and the SAML IdP require the SP metadata XML file. To configure the SP metadata XML file for the Abiquo API:

  1. Save the SP metadata XML file on the Abiquo Server

  2. Add the following properties:

    1. abiquo.saml.metadata.serviceprovider.path=/opt/abiquo/config/saml/serviceprovider_metadata.xml

    2. abiquo.saml.metadata.mode=provided

Your environment is now ready to use SAML SSO, just start the API and open the user interface in the browser.

Configure custom login error messages for SAML

By default, when there is a login error, the UI displays a generic error view and the user can return to the main login screen.

Optionally, to display custom error messages, configure the redirect to add an error parameter.

On the Abiquo API Server, set the abiquo.saml.redirect.error.endpoint to point to your UI server and add an error code as follows:

Code Block
abiquo.saml.redirect.error.endpoint = https://your.env.com/ui/?error=ERROR_CODE

Then for each error code, create a UI label with the error message text. For example, for US English, in lang_en_US_custom.json, you could create a label as follows:

Code Block
  "login.error.SAMLERROR2": "Login failed!",

For details of more customizations, see Customize UI login errors.

Configure a SAML enterprise pool

Optionally, if you will only be using a single identity provider, you can enable users to log in to an enterprise pool of enterprises with the same enterprise claim value.

The login process will select the first matching enterprise from the pool.

To configure this option, set the following property.

Code Block
abiquo.saml.login.allow.enterprise.pool = true

Add multiple identity providers for SAML

...

Table of Abiquo configuration properties for SAML

...

Key

...

Description

...

Required

...

Role

...

Sets the authentication module to use in the Abiquo Platform.
Accepts: abiquo, saml, openid, ldap

...

your SAML identity provider

We assume that you are already using SAML and that you already have your own IdP configuration.

Note

We provide some basic instructions to illustrate our example with IdP claims and to give a better picture of our SAML configuration.

  • Do not use these instructions to configure your production environment

  • We do not maintain these instructions

To configure Azure Active Directory as an IdP for Abiquo testing:

  1. Go to Azure portal (https://portal.azure.com)

  2. Create an Azure Active Directory

    1. For the Organization use Default Directory

    2. For the Domain use MY_ORG.onmicrosoft.com and replace MY_ORG with your organization name

  3. Switch to the directory and create an Application

    1. Go to Enterprise applications

    2. Click Create your own application

    3. Select the Integrate any other application you don't find in the gallery (Non-gallery) option

    4. For the Name enter samlidp and click Create. Then wait for it to complete.

  4. Go to Single sign-on, for the Authentication method, select SAML, and set the following values.

    1. Basic SAML Configuration: add Abiquo URLs to authorize it as a client that can use this SAML IDP.

      1. Identifier (Entity ID): https://ABIQUO_FQDN:443/api/saml/metadata
        Replace ABIQUO_FQDN with the domain name of your Abiquo server

      2. Reply URL (Assertion Consumer Service or ACS URL): https://ABIQUO_FQDN:443/api/saml/SSO
        Replace ABIQUO_FQDN with the domain name of your Abiquo server

      3. Sign on URL: Set an empty value

    2. SAML Claims: create and set the claims you want to retrieve from AAD users in Abiquo.
      For example:

      1. abq-enterprise: user.department

      2. abq-role: user.jobtitle

      3. user.userprincipalname

      4. user.givenname

      5. user.surname

      6. user.mail

    3. Go to the AAD organization main page and create SAML users.

      1. Name: This will set the username in Abiquo

      2. First Name

      3. Last Name

      4. Job title: This will set the user role in Abiquo, e.g., CLOUD_ADMIN_EXTERNAL

      5. Department: This will set the enterprise in Abiquo, e.g., Abiquo

    4. Add the users to the SAML IDP application we created before in order to authorize it to log in with SAML.

...

Create enterprises and roles for SAML

The first time a user logs in with SAML SSO, the Abiquo API will create the user’s account in the platform.

Before the user can log in, the administrator must create an Abiquo enterprise and role for the user and define their SAML attributes.

  1. Log in to Abiquo as cloud admin

  2. Go to Users

  3. Create enterprises with Names to match the value of a SAML attribute. From our example above, we will match Department

    1. Enterprise Name: Abiquo

  4. OR if your enterprise names do not match SAML attributes, create or edit the enterprise, go to Properties and create a property to match.

    1. Edit an enterprise (Name = My favorite enterprise)

    2. Enterprise property

      1. Key: department

      2. Value: Abiquo

  5. Go to Roles

  6. Create roles with External roles to match the value of a SAML attribute. From our example above, we will match Job title:

    1. Role Name: CLOUD_ADMIN_EXTERNAL

    2. External roles: CLOUD_ADMIN_EXTERNAL

...

Configure SAML on Abiquo server

To configure SAML on the Abiquo server:

  1. Log in to the Abiquo server as the system administrator

  2. Create a folder to store the configuration

    Code Block
    mkdir /opt/abiquo/config/saml

  3. Download the federation metadata XML file for your configuration. This may be from a link like:
    https://login.microsoftonline.com/<TenantDomainName>/FederationMetadata/2007-06/FederationMetadata.xml
    See https://learn.microsoft.com/en-us/azure/active-directory/azuread-dev/azure-ad-federation-metadata#federation-metadata-endpoints

  4. Create a metadata file for the identity provider, for example, at /opt/abiquo/config/saml/idp_metadata.xml and edit this file.

  5. Open the metadata XML file, and copy the EntityDescriptor bracket with only the IDPSSODescriptor bracket inside it. Paste it in your metadata file for the entity provider.
    It should look something like this but with different values for your identity provider.

    Code Block
    <?xml version="1.0" encoding="utf-8"?>
<EntityDescriptor ID="_d75abe92_blah" entityID="https://sts.windows.net/d123456-blah/"
    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
    <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        ...
    </IDPSSODescriptor>
</EntityDescriptor>

    1. The entityID should be the value from your file. It may be something like this: https://sts.windows.net/d12345678-123e-49321-1234-1234abcd567890/

    2. The EntityDescriptor ID should also be the value from your file.

  6. Edit /var/www/html/ui/config/client-config-custom.json and add the following configuration to allow SAML login.

    Code Block
       "client.login.modules": [
      {
          "label": "Basic Auth",
          "description": "Basic Auth login",
          "templateUrl": "modules/login/authenticationmodules/basicauthentication/partials/basicauthenticationloginview.html",
          "cookieName": ""
      },
      {
          "label": "SAML",
          "description": "SAML login",
          "templateUrl": "modules/login/authenticationmodules/saml/partials/samlloginview.html",
          "cookieName": "ABQSAMLTOKENS"
      }
  ]

  7. Edit /opt/abiquo/config/abiquo.properties and configure the following properties.

    Code Block
    abiquo.auth.module = saml
abiquo.saml.mode = multi

abiquo.login.samesite = strict

# Mandatory property to control the maximum time in seconds that users can use 
# SAML single sign-on after their initial authentication with the IDP. 
# The default represents 24 days.
abiquo.saml.authentication.maxage = 2073600

abiquo.saml.redirect.endpoint = https://ABIQUO_FQDN/ui
abiquo.saml.redirect.error.endpoint = https://ABQIUO_FQDN/ui/?error
abiquo.saml.keys.keystore.path = /opt/abiquo/config/saml/MY_SAML_KEYSTORE
abiquo.saml.keys.keystore.password = MY_SAML_KEYSTORE_PASSWORD
abiquo.saml.keys.signing.alias = MY_SAML_APP_NAME
abiquo.saml.keys.signing.password = MY_SAML_KEY_PASSWORD
abiquo.saml.keys.encryption.alias = MY_SAML_APP
abiquo.saml.keys.encryption.password = MY_SAML_KEY_PASSWORD
abiquo.saml.keys.metadata.sign = false
abiquo.saml.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
abiquo.saml.metadata.mode = generated
#abiquo.saml.metadata.serviceprovider.path = /opt/abiquo/config/saml/sp_metadata.xml
abiquo.saml.metadata.identityprovider.default.id = ENTITY_ID
# For >1 IDPs, add commas between XML paths
abiquo.saml.metadata.identityprovider.path = /opt/abiquo/config/saml/idp_metadata.xml
# For >1 IDPs, add commas between pairs of values
abiquo.saml.metadata.identityprovider.userdomain.map = myorg.onmicrosoft.com=MY_ENTITY_ID
 

# Set the claim names we have set up before in Azure AD
abiquo.saml.attributes.role.claim = abq-role
abiquo.saml.attributes.enterprise.claims = abq-enterprise
abiquo.saml.attributes.user.id.claim = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
abiquo.saml.attributes.user.firstname.claim = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
abiquo.saml.attributes.user.lastname.claim = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
abiquo.saml.attributes.user.email.claim = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

    1. The #abiquo.saml.metadata.serviceprovider.path property should be commented out because first you can generate the metadata and later provide it with the file saved at this path

    2. Replace the following values with the values for your environment:

      1. ABIQUO_FQDN

      2. MY_SAML_KEYSTORE

      3. MY_SAML_KEYSTORE_PASSWORD

      4. MY_SAML_APP_NAME

      5. MY_SAML_KEY_PASSWORD

      6. MY_SAML_APP

      7. MY_SAML_KEY_PASSWORD

      8. ENTITY_ID: you can get this from the Azure federation XML. It may be something like https://sts.windows.net/d12345678-123e-49321-1234-1234abcd567890/ 

  8. Create a keystore with the above keystore values.

    Code Block
    cd /opt/abiquo/config/saml
keytool -genkey -v -keystore MY_SAML_KEYSTORE -storepass MY_SAML_KEYSTORE_PASSWORD -alias MY_SAML_APP_NAME -keypass MY_SAML_KEY_PASSWORD -keyalg RSA -keysize 2048 -validity 10000

    (In our test system we are used the one value for the signing and encryption password as MY_SAML_KEY_PASSWORD)

  9. Restart the Abiquo API

  10. Check that API works and started successfully by logging in to Abiquo with basic auth as admin

...

Configure Abiquo as the service provider

To configure Abiquo as a service provider, obtain the metadata, save it to a file, and then enable the use of provided data.

  1. Log in the Abiquo API server as an administrator

  2. Generate the SP metadata:

    Code Block
    curl -k -u ADMIN_USER:ADMIN_PASSWORD https://ABIQUO_FQDN:443/api/saml/metadata \
> /tmp/curl_sp_metadata.xml

    Replace ADMIN_USER, ADMIN_PASSWORD, and ABIQUO_FQDN with values for your environment

  3. Save it to your SAML configuration folder

    Code Block
    xmllint --format /tmp/curl_sp_metadata.xml > /opt/abiquo/config/saml/sp_metadata.xml

  4. Edit the abiquo.properties file and set the values as follows

    Code Block
    abiquo.saml.metadata.mode = provided
abiquo.saml.metadata.serviceprovider.path = /opt/abiquo/config/saml/sp_metadata.xml

  5. Restart the Abiquo API

  6. Check that the API works and has started successfully by logging in with SAML

    1. Username: USER_NAME@MY_ORG.onmicrosoft.com

Additional configuration

We recommend that you do these additional steps

  1. Add the metadata XML file to the IdP

  2. Disable basic authentication. To do this, set the abiquo.saml.mode property to single (or just delete it because single is the default value).

...

Configure custom login error messages for SAML

By default, when there is a login error, the UI displays a generic error view and the user can return to the main login screen.

Optionally, to display custom error messages, configure the redirect to add an error parameter.

On the Abiquo API Server, set the abiquo.saml.redirect.error.endpoint to point to your UI server and add an error code as follows:

Code Block
abiquo.saml.redirect.error.endpoint = https://your.env.com/ui/?error=ERROR_CODE

Then for each error code, create a UI label with the error message text. For example, for US English, in lang_en_US_custom.json, you could create a label as follows:

Code Block
  "login.error.SAMLERROR2": "Login failed!",

For details of more customizations, see Customize UI login errors.

...

Configure a SAML enterprise pool

Optionally, if you will only be using a single identity provider, you can enable users to log in to an enterprise pool of enterprises with the same enterprise claim value.

The login process will select the first matching enterprise from the pool.

To configure this option, set the following property.

Code Block
abiquo.saml.login.allow.enterprise.pool = true

...

Add multiple identity providers for SAML

Include Page
Add multiple identity providers for SAML
Add multiple identity providers for SAML


Table of Abiquo configuration properties for SAML

Key

Description

Required

Role

abiquo.auth.module

Sets the authentication module to use in the Abiquo Platform.
Accepts: abiquo, saml, openid, ldap

Yes

Status
colourBlue
titleadmin

abiquo.login.samesite 

Control the value of the SameSite flag of the login cookie.
See Abiquo configuration properties#samesite

No
Default: strict

Status
colourBlue
titleadmin

(warning) abiquo.saml.authentication.maxage

New in Abiquo 6.0.0

Maximum time in seconds the system allows users to use SAML single sign-on after their initial authentication with the IDP.

Required to start SAML
Default: 2073600

Status
colourBlue
titleadmin

abiquo.saml.mode

Indicates the SAML mode to use.
Accepts:

  • single: only SAML is allowed to authenticate users

  • multiple: SAML and Basic Auth are allowed to authenticate users.

No
Default: single

Status
colourBlue
titleadmin

abiquo.saml.redirect.endpoint

URI redirect for a successful Abiquo login using SAML SSO.
Accepts: any valid URI
Example: https://your.env.com/ui

Yes

Status
colourBlue
titleadmin

abiquo.saml.redirect.error.endpoint

URI redirect for an unsuccessful Abiquo login using SAML SSO. This has to be set to a query parameter, "?error", or a valid URI like the one from the example.
Accepts: any valid URI
Example: https://your.env.com/ui/?error=ERROR_CODE
See Configure UI login errors

No
Default: 
?error

Status
colourBlue
titleadmin

abiquo.saml.metadata.mode = provided


Indicates if the SP metadata is provided or must be generated by the API.
Accepts:

  • provided: use existing metadata defined with the following property: abiquo.saml.metadata.serviceprovider.path

  • generated: the API should generate the metadata. Requires the Abiquo Server to have an SP configuration

No
Default: generated

Status
colourBlue
titleadmin

abiquo.saml.metadata.serviceprovider.path

Indicates the location of the SP metadata to load.
Accepts: Any location path of the file to read

Only if abiquo.saml.metadata.mode
is set to provided

Status
colourBlue
titleadmin

(warning)

abiquo.saml.

authentication.maxage

New in Abiquo 6.0.0

Maximum time in seconds the system allows users to use SAML single sign-on after their initial authentication with the IDP.

Required to start SAML
Default: 2073600

metadata.identityprovider.path

Indicates the location of the IdP metadata to load.
Accepts: Any location path of the file to read. For multiple identity providers, use a comma separated list

Yes

Status
colourBlue
titleadmin

abiquo.saml.metadata.generator.

mode

Indicates the SAML mode to use.
Accepts:

  • single: only SAML is allowed to authenticate users

    • multiple: SAML and Basic Auth are allowed to authenticate users.

    bindingSSO

    If abiquo.saml.metadata.mode is set to generated, this property will indicate which binding must be allowed.
    Accepts: A comma-separated list with the binding names

    No
    Default:

    single

    POST, Artifact

    Status
    colourBlue
    titleadmin

    Status
    colourYellow
    titlesaml admin

    abiquo.saml.keys.

    redirect

    keystore.

    endpointURI redirect for a successful Abiquo login using SAML SSO.
    Accepts: any valid URI
    Example: https://your.env.com/ui

    path

    Indicates the location of the Java keystore from which to extract the keys to sign and/or encrypt the SAML requests.
    Accepts: Any location path of the file to read

    Yes

    Status
    colourBlue
    titleadmin

    abiquo.saml.

    redirect

    keys.

    error

    keystore.

    endpoint

    URI redirect for an unsuccessful Abiquo login using SAML SSO. This has to be set to a query parameter, "?error", or a valid URI like the one from the example.
    Accepts: any valid URI
    Example: https://your.env.com/ui/?error=ERROR_CODE
    See Configure UI login errors

    No
    Default: 
    ?error

    password

    The password to unlock the Java keystore from location indicated by abiquo.saml.keys.keystore.path property.

    Yes

    Status
    colourBlue
    titleadmin

    abiquo.saml.

    metadata.mode = provided

    Indicates if the SP metadata is provided or must be generated by the API.
    Accepts:

    • provided: use existing metadata defined with the following property: abiquo.saml.metadata.serviceprovider.path

    • generated: the API should generate the metadata. Requires the Abiquo Server to have an SP configuration

    No
    Default: generated

    keys.signing.alias

    The alias of the key to use for signing SAML Requests
    Accepts: any string

    Yes

    Status
    colourBlue
    titleadmin

    abiquo.saml.

    metadata

    keys.

    serviceprovider

    signing.

    pathIndicates the location

    password

    The password of the

    SP metadata to load.
    Accepts: Any location path of the file to readOnly if abiquo.saml.metadata.mode
    is set to provided

    key to use for signing SAML Requests
    Accepts: any string

    Yes

    Status
    colourBlue
    titleadmin

    abiquo.saml.keys.encryption.alias

    The alias of the key to use for encryption of SAML Requests
    Accepts: any string

    Yes

    Status
    colourBlue
    titleadmin

    abiquo.saml.

    metadata

    keys.

    identityprovider

    encryption.

    pathIndicates the location of the IdP metadata to load.
    Accepts: Any location path of the file to read. For multiple identity providers, use a comma separated list

    password

    The password of the key to use for encryption of SAML Requests

    Yes

    Status
    colourBlue
    titleadmin

    abiquo.saml.keys.metadata.

    generator.bindingSSOIf abiquo.saml.metadata.mode is set to generated, this property will indicate which binding must be allowed

    sign

    Indicates if the SAML Requests must be signed.
    Accepts:

    A comma-separated list with the binding names

    a boolean

    No
    Default:

    POST, Artifact

    false

    Status
    colourBlue
    titleadmin

    Status
    colourYellow
    titlesaml admin

    abiquo.saml.

    keys.keystore.path

    binding

    Indicates the

    location of the Java keystore from which to extract the keys to sign and/or encrypt the SAML requests

    binding profile to allow.
    Accepts:

    Any location path of the file to read

    the SAML binding profile's URN

    Yes

    Status
    colour

    Blue

    Yellow
    title

    admin

    abiquo.saml.keys.keystore.password

    The password to unlock the Java keystore from location indicated by

    saml admin

    abiquo.saml.attributes.

    keys

    user.

    keystore.path property.Yes

    id.claim

    Indicates which SAML Response attribute must identify a unique user; if not set up, the principal will be used.
    Accepts: any string

    No

    Status
    colour

    Blue

    Yellow
    titlesaml admin

    abiquo.saml.

    keys

    attributes.

    signing

    role.

    aliasThe alias of the key to use for signing SAML Requests

    claim

    Indicates which SAML Response attribute must be read to find the role to assign to the user during a successful login.
    Accepts: any string

    Yes

    Status
    colour

    Blue

    Yellow
    titlesaml admin

    abiquo.saml

    .keys.signing.passwordThe password of the key to use for signing SAML Requests
    Accepts: any string

    .attributes.enterprise.claims

    Indicates which SAML Response attributes must be read to find the enterprise to assign to the user during a successful login. Matches an enterprise name or an enterprise property key.
    Accepts: a comma-separated list of the claim attributes, with an optional enterprise property key separated by a colon.
    Pattern: <saml-attr1>:<ent-prop1>,<saml-attr2>:<ent-prop2>

    Yes

    Status
    colour

    Blue

    Yellow
    titlesaml admin

    abiquo.saml.attributes.

    keys

    user.

    encryption

    firstname.

    aliasThe alias of the key to use for encryption of SAML Requests

    claim

    Indicates which attribute must be read to find the user name.
    Accepts: any string

    No

    Yes

    Default: FirstName

    Status
    colour

    Blue

    Yellow
    titlesaml admin

    abiquo.saml.attributes.

    keys

    user.

    encryption

    lastname.

    password

    The password of the key to use for encryption of SAML Requests

    Yes

    claim

    Indicates which attribute must be read to find the user last name.
    Accepts: any string

    No
    Default: LastName

    Status
    colour

    Blue

    Yellow
    titlesaml admin

    abiquo.saml.attributes.

    keys

    user.

    metadata

    email.

    sign

    claim

    Indicates

    if the SAML Requests

    which attribute must be

    signed

    read in order to find the user email.
    Accepts:

    a boolean

    any string

    No
    Default:

    false StatuscolourBluetitleadmin

    EmailAddress

    Status
    colourYellow
    titlesaml admin

    abiquo.saml

    .binding

    Indicates the binding profile to allow.
    Accepts: the SAML binding profile's URN

    Yes

    .login.allow.enterprise.pool

    Allow the use of multiple enterprises with the same enterprise claim property as a pool. Will assign the user to the first enterprise match. Only valid for SAML mode, not for SAML + user (multiple IDPs).
    Accepts: boolean

    No
    Default: false

    Status
    colourYellow
    titlesaml admin

    abiquo.saml.

    attributes

    metadata.

    user.id.claim

    Indicates which SAML Response attribute must identify a unique user; if not set up, the principal will be used.
    Accepts: any string

    No

    identityprovider.default.id

    Sets the default SAML IdP
    Accepts: The entityID attribute of the default IdP from its metadata

    Yes

    Status
    colour

    Yellow

    Blue
    title

    saml

    abiquo admin

    abiquo.saml.metadata.

    attributes

    identityprovider.

    role

    userdomain.

    claim

    Indicates which SAML Response attribute must be read to find the role to assign to the user during a successful login.
    Accepts: any string

    Yes

    map

    For multiple IdPs, map the user domains to the IdPs
    Accepts: Comma separated list of email address domains and IdPs

    Yes, for multiple IdPs

    Status
    colour

    Yellowtitlesaml admin

    abiquo.saml.attributes.enterprise.claims

    Indicates which SAML Response attributes must be read to find the enterprise to assign to the user during a successful login. Matches an enterprise name or an enterprise property key.
    Accepts: a comma-separated list of the claim attributes, with an optional enterprise property key separated by a colon.
    Pattern: <saml-attr1>:<ent-prop1>,<saml-attr2>:<ent-prop2>

    Yes

    Status
    colourYellow
    titlesaml admin

    abiquo.saml.attributes.user.firstname.claim

    Indicates which attribute must be read to find the user name.
    Accepts: any string

    No
    Default: FirstName

    Status
    colourYellow
    titlesaml admin

    abiquo.saml.attributes.user.lastname.claim

    Indicates which attribute must be read to find the user last name.
    Accepts: any string

    No
    Default: LastName

    Status
    colourYellow
    titlesaml admin

    abiquo.saml.attributes.user.email.claim

    Indicates which attribute must be read in order to find the user email.
    Accepts: any string

    No
    Default: EmailAddress

    Status
    colourYellow
    titlesaml admin

    abiquo.saml.login.allow.enterprise.pool

    Allow the use of multiple enterprises with the same enterprise claim property as a pool. Will assign the user to the first enterprise match. Only valid for SAML mode, not for SAML + user (multiple IDPs).
    Accepts: boolean

    No
    Default: false

    Status
    colourYellow
    titlesaml admin

    abiquo.saml.metadata.identityprovider.default.id

    Sets the default SAML IdP
    Accepts: The entityID attribute of the default IdP from its metadata

    Yes

    Status
    colourBlue
    titleabiquo admin

    abiquo.saml.metadata.identityprovider.userdomain.map

    For multiple IdPs, map the user domains to the IdPs
    Accepts: Comma separated list of email address domains and IdPs

    Yes, for multiple IdPs

    StatuscolourBluetitleabiquo admin

    Blue
    titleabiquo admin


    Table of UI properties for SAML

    For SAML, you can configure the following UI configuration properties in client-config-custom.json. See Configure Abiquo UI for more details. 

    Property

    Description

    client.login.modules

    Configure Abiquo modules to log in with Basic Auth (default), Open ID, SAML, or SAML + user.

    • For the initial SAML configuration, use SAML

    • When you add multiple IdPs, use SAML + user

    You can copy the options from client-config-default.json

    client.skip.login.view

    By default, when in OpenID or SAML mode, Abiquo displays an initial screen with a link to the Authentication portal.
    If this property is set to true, then Abiquo will not display the initial screen and will redirect users directly to the Authentication portal.

    About enterprise and role binding

    The Abiquo API can get the user’s SAML attributes, select the correct role, and assign it to the user. This is called enterprise and role binding.

    Here are some examples of how Abiquo can match SAML attributes for enterprises:

    • abiquo.saml.attributes.enterprise.claims = example

      • The API will get the value of the example attribute from the SAML Response. It will try to find an Abiquo enterprise with the same name. If it can't find an enterprise, it will look for an enterprise with an enterprise property key called example that has a property value that matches the SAML Response example attribute value.

    • abiquo.saml.attributes.enterprise.claims = organization,acc_id:account

      • The API will get the value of the organization and acc_id attributes from the SAML Response. It will try to find an enterprise with a name that matches one of these values. If it can't find an enterprise, it will search the enterprise properties. It will return the enterprise that has the property organization with the value from the SAML Response and acc_id property with the value of account from the SAML Response.