Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Log in to the Abiquo server as the system administrator

  2. Create a folder to store the configuration

    Code Block
    mkdir /opt/abiquo/config/saml
  3. Download the federation metadata XML file for your configuration. This may be from a link like:
    https://login.microsoftonline.com/<TenantDomainName>/FederationMetadata/2007-06/FederationMetadata.xml
    See https://learn.microsoft.com/en-us/azure/active-directory/azuread-dev/azure-ad-federation-metadata#federation-metadata-endpoints

  4. Create a metadata file for the identity provider, for example, at /opt/abiquo/config/saml/idp_metadata.xml and edit this file.

  5. Open the metadata XML file, and copy the EntityDescriptor bracket with only the IDPSSODescriptor bracket inside it. Paste it in your metadata file for the entity provider.
    It should look something like this but with different values for your identity provider.

    Code Block
    <?xml version="1.0" encoding="utf-8"?>
    <EntityDescriptor ID="_d75abe92_blah" entityID="https://sts.windows.net/d123456-blah/"
        xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
        <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
            ...
        </IDPSSODescriptor>
    </EntityDescriptor>
    1. The entityID should be the value from your file. It may be something like this: https://sts.windows.net/d12345678-123e-49321-1234-1234abcd567890/

    2. The EntityDescriptor ID should also be the value from your file.

  6. Edit /var/www/html/ui/config/client-config-custom.json and add the following configuration to allow SAML login.

    Code Block
       "client.login.modules": [
          {
              "label": "Basic Auth",
              "description": "Basic Auth login",
              "templateUrl": "modules/login/authenticationmodules/basicauthentication/partials/basicauthenticationloginview.html",
              "cookieName": ""
          },
          {
              "label": "SAML",
              "description": "SAML login",
              "templateUrl": "modules/login/authenticationmodules/saml/partials/samlloginview.html",
              "cookieName": "ABQSAMLTOKENS"
          }
      ]

  7. Edit /opt/abiquo/config/abiquo.properties and configure the following properties.

    Code Block
    abiquo.auth.module = saml
    abiquo.saml.mode = multi
    
    abiquo.login.samesite = strict
    
    # Mandatory property to control the maximum time in seconds that users can use 
    # SAML single sign-on after their initial authentication with the IDP. 
    # The default represents 24 days.
    abiquo.saml.authentication.maxage = 2073600
    
    abiquo.saml.redirect.endpoint = https://ABIQUO_FQDN/ui
    abiquo.saml.redirect.error.endpoint = https://ABQIUO_FQDN/ui/?error
    abiquo.saml.keys.keystore.path = /opt/abiquo/config/saml/MY_SAML_KEYSTORE
    abiquo.saml.keys.keystore.password = MY_SAML_KEYSTORE_PASSWORD
    abiquo.saml.keys.signing.alias = MY_SAML_APP_NAME
    abiquo.saml.keys.signing.password = MY_SAML_KEY_PASSWORD
    abiquo.saml.keys.encryption.alias = MY_SAML_APP
    abiquo.saml.keys.encryption.password = MY_SAML_KEY_PASSWORD
    abiquo.saml.keys.metadata.sign = false
    abiquo.saml.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
    abiquo.saml.metadata.mode = generated
    #abiquo.saml.metadata.serviceprovider.path = /opt/abiquo/config/saml/sp_metadata.xml
    abiquo.saml.metadata.identityprovider.default.id = ENTITY_ID
    # For >1 IDPs, add commas between XML paths
    abiquo.saml.metadata.identityprovider.path = /opt/abiquo/config/saml/idp_metadata.xml
    # For >1 IDPs, add commas between pairs of values
    abiquo.saml.metadata.identityprovider.userdomain.map = myorg.onmicrosoft.com=MY_ENTITY_ID
     
    
    # Set the claim names we have set up before in Azure AD
    abiquo.saml.attributes.role.claim = abq-role
    abiquo.saml.attributes.enterprise.claims = abq-enterprise
    abiquo.saml.attributes.user.id.claim = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    abiquo.saml.attributes.user.firstname.claim = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
    abiquo.saml.attributes.user.lastname.claim = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
    abiquo.saml.attributes.user.email.claim = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
    

    1. The #abiquo.saml.metadata.serviceprovider.path property should be commented out because first you can generate the metadata and later provide it with the file saved at this path

    2. Replace the following values with the values for your environment:

      1. ABIQUO_FQDN

      2. MY_SAML_KEYSTORE

      3. MY_SAML_KEYSTORE_PASSWORD

      4. MY_SAML_APP_NAME

      5. MY_SAML_KEY_PASSWORD

      6. MY_SAML_APP

      7. MY_SAML_KEY_PASSWORD

      8. MY_ENTITY_ID: you can get this from the Azure federation XML. It may be something like https://sts.windows.net/d12345678-123e-49321-1234-1234abcd567890/ 

  8. Create a keystore with the above keystore values.

    Code Block
    cd /opt/abiquo/config/saml
    keytool -genkey -v -keystore MY_SAML_KEYSTORE -storepass MY_SAML_KEYSTORE_PASSWORD -alias MY_SAML_APP_NAME -keypass MY_SAML_KEY_PASSWORD -keyalg RSA -keysize 2048 -validity 10000

    (In our test system we are used the one value for the signing and encryption password as MY_SAML_KEY_PASSWORD)

  9. Restart the Abiquo API

  10. Check that the API works and has started successfully by logging in to Abiquo with basic auth as admin

...