Versions Compared

Old Version 29

changes.mady.by.user MS

Saved on

compared with

New Version 30

changes.mady.by.user MS

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Add multiple identity providers for SAML

...

About enterprise and role binding

The Abiquo API can get the user’s SAML attributes, select the correct role, and assign it to the user. This is You can configure more than one identity provider for SAML. With the configuration, when the user enters their email address to log in, Abiquo will select the IdP based on its domain name, or it will use the default IdP. 

Abiquo still uses the same IdP configuration for all providers, for example, it will search for the same abq-role attribute to match an Abiquo role.

To configure an existing SAML integration with more IdPs, do these steps on the Abiquo Server:

  1. Save the metadata for the new IdPs, as for the first IdP

  2. For the default IdP, edit the metadata and set the Default attribute

  3. Edit the abiquo.properties file to make these changes:

    1. Add the paths to the metadata of the new IdPs as a comma separated list to the abiquo.saml.metadata.identityprovider.path property

    2. To set the default IdP, add the new abiquo.saml.metadata.identityprovider.default.id property

    3. To map the user email domains to IdPs, set the new abiquo.saml.metadata.identityprovider.userdomain.map property with a comma separated list of keys and values. For example:

      Code Block
      abiquo.saml.metadata.identityprovider.userdomain.map = example.com=https://sts.example.com/ffff2108-833e-4940-87e6-3d39ce9adb70/,abiquo.com=https://idp.example.com

      (warning) Do not use a comma , in a key or a value
      (warning) Do not use use an equals sign = in the key

  4. Share the Abiquo SP data with the new IdPs

  5. On the UI server, edit the client-config-custom.json file and change the client.login.module property from SAML to SAML + user.
    For more details, see the examples in client-config-default.json file.

For this feature, there is a new /saml/idp endpoint in the Abiquo API where the UI will send a GET request with the user domain. This endpoint will return a redirect to the usual /saml/login endpoint with the appropriate IdP. Then the login will continue as for a single IdP.

Note

When you enable this feature, Abiquo will change the XML security metadata of the Abiquo application. Abiquo will add the beans for new IdPs and mark the default IdP in the metadata configuration of security-saml-generated-beans.xml and security-saml-provided-beans.xml.

  • Before you upgrade Abiquo, you must back up the security beans configuration.

  • After you upgrade Abiquo, when there is a new version of the security beans files, you must add the default IdP and the IdP beans again

...

About enterprise and role binding

The Abiquo API can get the user’s SAML attributes, select the correct role, and assign it to the user. This is called enterprise and role binding.

...

Key

Description

Required

Role

abiquo.auth.module

Sets the authentication module to use in the Abiquo Platform.
Accepts: abiquo, saml, openid, ldap

Yes

Status
colourBlue
titleadmin

abiquo.login.samesite 

Control the value of the SameSite flag of the login cookie.
See Abiquo configuration properties#samesite

No
Default: strict

Status
colourBlue
titleadmin

(warning) abiquo.saml.authentication.maxageNew in Abiquo 6.0.0

Required to start SAML and Abiquo

Maximum time in seconds the system allows users to use SAML single sign-on after their initial authentication with the IDP.

Required to start SAML
Default: 2073600

Status
colourBlue
titleadmin

abiquo.saml.mode

Indicates the SAML mode to use.
Accepts:

  • single: only SAML is allowed to authenticate users

  • multiple: SAML and Basic Auth are allowed to authenticate users.

No
Default: single

Status
colourBlue
titleadmin

abiquo.saml.redirect.endpoint

URI redirect for a successful Abiquo login using SAML SSO.
Accepts: any valid URI
Example: https://your.env.com/ui

Yes

Status
colourBlue
titleadmin

abiquo.saml.redirect.error.endpoint

URI redirect for an unsuccessful Abiquo login using SAML SSO. This has to be set to a query parameter, "?error", or a valid URI like the one from the example.
Accepts: any valid URI
Example: https://your.env.com/ui/?error=ERROR_CODE
See Configure UI login errors

No
Default: 
?error

Status
colourBlue
titleadmin

abiquo.saml.metadata.mode = provided


Indicates if the SP metadata is provided or must be generated by the API.
Accepts:

  • provided: use existing metadata defined with the following property: abiquo.saml.metadata.serviceprovider.path

  • generated: the API should generate the metadata. Requires the Abiquo Server to have an SP configuration

No
Default: generated

Status
colourBlue
titleadmin

abiquo.saml.metadata.serviceprovider.path

Indicates the location of the SP metadata to load.
Accepts: Any location path of the file to read

Only if abiquo.saml.metadata.mode
is set to provided

Status
colourBlue
titleadmin

abiquo.saml.metadata.identityprovider.path

Indicates the location of the IdP metadata to load.
Accepts: Any location path of the file to read. For multiple identity providers, use a comma separated list

Yes

Status
colourBlue
titleadmin

abiquo.saml.metadata.generator.bindingSSO

If abiquo.saml.metadata.mode is set to generated, this property will indicate which binding must be allowed.
Accepts: A comma-separated list with the binding names

No
Default: POST, Artifact

Status
colourBlue
titleadmin

Status
colourYellow
titlesaml admin

abiquo.saml.keys.keystore.path

Indicates the location of the Java keystore from which to extract the keys to sign and/or encrypt the SAML requests.
Accepts: Any location path of the file to read

Yes

Status
colourBlue
titleadmin

abiquo.saml.keys.keystore.password

The password to unlock the Java keystore from location indicated by abiquo.saml.keys.keystore.path property.

Yes

Status
colourBlue
titleadmin

abiquo.saml.keys.signing.alias

The alias of the key to use for signing SAML Requests
Accepts: any string

Yes

Status
colourBlue
titleadmin

abiquo.saml.keys.signing.password

The password of the key to use for signing SAML Requests
Accepts: any string

Yes

Status
colourBlue
titleadmin

abiquo.saml.keys.encryption.alias

The alias of the key to use for encryption of SAML Requests
Accepts: any string

Yes

Status
colourBlue
titleadmin

abiquo.saml.keys.encryption.password

The password of the key to use for encryption of SAML Requests

Yes

Status
colourBlue
titleadmin

abiquo.saml.keys.metadata.sign

Indicates if the SAML Requests must be signed.
Accepts: a boolean

No
Default: false

Status
colourBlue
titleadmin

Status
colourYellow
titlesaml admin

abiquo.saml.binding

Indicates the binding profile to allow.
Accepts: the SAML binding profile's URN

Yes

Status
colourYellow
titlesaml admin

abiquo.saml.attributes.user.id.claim

Indicates which SAML Response attribute must identify a unique user; if not set up, the principal will be used.
Accepts: any string

No

Status
colourYellow
titlesaml admin

abiquo.saml.attributes.role.claim

Indicates which SAML Response attribute must be read to find the role to assign to the user during a successful login.
Accepts: any string

Yes

Status
colourYellow
titlesaml admin

abiquo.saml.attributes.enterprise.claims

Indicates which SAML Response attributes must be read to find the enterprise to assign to the user during a successful login. Matches an enterprise name or an enterprise property key.
Accepts: a comma-separated list of the claim attributes, with an optional enterprise property key separated by a colon.
Pattern: <saml-attr1>:<ent-prop1>,<saml-attr2>:<ent-prop2>

Yes

Status
colourYellow
titlesaml admin

abiquo.saml.attributes.user.firstname.claim

Indicates which attribute must be read to find the user name.
Accepts: any string

No
Default: FirstName

Status
colourYellow
titlesaml admin

abiquo.saml.attributes.user.lastname.claim

Indicates which attribute must be read to find the user last name.
Accepts: any string

No
Default: LastName

Status
colourYellow
titlesaml admin

abiquo.saml.attributes.user.email.claim

Indicates which attribute must be read in order to find the user email.
Accepts: any string

No
Default: EmailAddress

Status
colourYellow
titlesaml admin

abiquo.saml.login.allow.enterprise.pool

Allow the use of multiple enterprises with the same enterprise claim property as a pool. Will assign the user to the first enterprise match. Only valid for SAML mode, not for SAML + user (multiple IDPs).
Accepts: boolean

No
Default: false

Status
colourYellow
titlesaml admin

abiquo.saml.metadata.identityprovider.default.id

Sets the default SAML IdP
Accepts: The entityID attribute of the default IdP from its metadata

Yes

Status
colourBlue
titleabiquo admin

abiquo.saml.metadata.identityprovider.userdomain.map

For multiple IdPs, map the user domains to the IdPs
Accepts: Comma separated list of email address domains and IdPs

Yes, for multiple IdPs

Status
colourBlue
titleabiquo admin

...