Versions Compared

Old Version 32

changes.mady.by.user MS

Saved on

compared with

New Version 33

changes.mady.by.user MS

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Log in to the Abiquo server as the system administrator

  2. Create a folder to store the configuration

    Code Block
    mkdir /opt/abiquo/config/saml

  3. Download the federation metadata XML file for your configuration. This may be from a link like:
    https://login.microsoftonline.com/<TenantDomainName>/FederationMetadata/2007-06/FederationMetadata.xml
    See https://learn.microsoft.com/en-us/azure/active-directory/azuread-dev/azure-ad-federation-metadata#federation-metadata-endpoints

  4. Create a metadata file for the identity provider, for example, at /opt/abiquo/config/saml/idp_metadata.xml and edit this file.

  5. Open the metadata XML file, and copy the EntityDescriptor bracket with only the IDPSSODescriptor bracket inside it. Paste it in your metadata file for the entity provider.
    It should look something like this but with different values for your identity provider.

    Code Block
    <?xml version="1.0" encoding="utf-8"?>
<EntityDescriptor ID="_d75abe92_blah" entityID="https://sts.windows.net/d123456-blah/"
    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
    <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        ...
    </IDPSSODescriptor>
</EntityDescriptor>

    1. The entityID should be the value from your file. It may be something like this: https://sts.windows.net/d12345678-123e-49321-1234-1234abcd567890/

    2. The EntityDescriptor ID should also be the value from your file.

  6. Edit /var/www/html/ui/config/client-config-custom.json and add the following configuration to allow SAML login.

    Code Block
       "client.login.modules": [
      {
          "label": "Basic Auth",
          "description": "Basic Auth login",
          "templateUrl": "modules/login/authenticationmodules/basicauthentication/partials/basicauthenticationloginview.html",
          "cookieName": ""
      },
      {
          "label": "SAML",
          "description": "SAML login",
          "templateUrl": "modules/login/authenticationmodules/saml/partials/samlloginview.html",
          "cookieName": "ABQSAMLTOKENS"
      }
  ]

  7. Edit /opt/abiquo/config/abiquo.properties and configure the following properties.

    Code Block
    abiquo.auth.module = saml
abiquo.saml.mode = multi

abiquo.login.samesite = strict

# Mandatory property to control the maximum time in seconds that users can use 
# SAML single sign-on after their initial authentication with the IDP. 
# The default represents 24 days.
abiquo.saml.authentication.maxage = 2073600

abiquo.saml.redirect.endpoint = https://ABIQUO_FQDN/ui
abiquo.saml.redirect.error.endpoint = https://ABQIUO_FQDN/ui/?error
abiquo.saml.keys.keystore.path = /opt/abiquo/config/saml/MY_SAML_KEYSTORE
abiquo.saml.keys.keystore.password = MY_SAML_KEYSTORE_PASSWORD
abiquo.saml.keys.signing.alias = MY_SAML_APP_NAME
abiquo.saml.keys.signing.password = MY_SAML_KEY_PASSWORD
abiquo.saml.keys.encryption.alias = MY_SAML_APP
abiquo.saml.keys.encryption.password = MY_SAML_KEY_PASSWORD
abiquo.saml.keys.metadata.sign = false
abiquo.saml.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
abiquo.saml.metadata.mode = generated
#abiquo.saml.metadata.serviceprovider.path = /opt/abiquo/config/saml/sp_metadata.xml
abiquo.saml.metadata.identityprovider.default.id = MY_ENTITY_ID
# For >1 IDPs, add commas between XML paths
abiquo.saml.metadata.identityprovider.path = /opt/abiquo/config/saml/idp_metadata.xml
# For >1 IDPs, add commas between pairs of values
abiquo.saml.metadata.identityprovider.userdomain.map = myorg.onmicrosoft.com=MY_ENTITY_ID
 

# Set the claim names we have set up before in Azure AD
abiquo.saml.attributes.role.claim = abq-role
abiquo.saml.attributes.enterprise.claims = abq-enterprise
abiquo.saml.attributes.user.id.claim = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
abiquo.saml.attributes.user.firstname.claim = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
abiquo.saml.attributes.user.lastname.claim = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
abiquo.saml.attributes.user.email.claim = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

    1. The #abiquo.saml.metadata.serviceprovider.path property should be commented out because first you can generate the metadata and later provide it with the file saved at this path

    2. Replace the following values with the values for your environment:

      1. ABIQUO_FQDN

      2. MY_SAML_KEYSTORE

      3. MY_SAML_KEYSTORE_PASSWORD

      4. MY_SAML_APP_NAME

      5. MY_SAML_KEY_PASSWORD

      6. MY_SAML_APP

      7. MY_SAML_KEY_PASSWORD

      8. MY_ENTITY_ID: you can get this from the Azure federation XML. It may be something like https://sts.windows.net/d12345678-123e-49321-1234-1234abcd567890/ 

  8. Create a keystore with the above keystore values.

    Code Block
    cd /opt/abiquo/config/saml
keytool -genkey -v -keystore MY_SAML_KEYSTORE -storepass MY_SAML_KEYSTORE_PASSWORD -alias MY_SAML_APP_NAME -keypass MY_SAML_KEY_PASSWORD -keyalg RSA -keysize 2048 -validity 10000

    (In our test system we are used the one value for the signing and encryption password as MY_SAML_KEY_PASSWORD)

  9. Restart the Abiquo API

  10. Check that the API works and has started successfully by logging in to Abiquo with basic auth as admin

...