Page Comparison

Author: Alex Torras (Unlicensed)

1. Create SAML IdP

1. Go to Security → Identity providers

2. Select Add identity provider

3. Select SAML 2.0 IdP and then Next

4. In the Configure SAML 2.0 IdP section:

   1. Enter a Name

   2. In IdP username select idpuser.subjectNameId

   3. In IdP Issuer URI enter https://{$ENV_FQDN}:443/api/saml/metadata

   4. In IdP Single Sign-On URL enter https://{$ENV_FQDN}:443/api/saml/SSO

   5. In Destination enter https://{$ENV_FQDN}):443/api/saml/SSO

5. Select Finish

2. Create SAML Application

...

Go to Applications → Applications

...

Select Create App Integration

...

Select SAML 2.0 and then Next

...

Enter an App name and select Next

In the Configure SAML section:

...

Prepare Abiquo enterprise and role

1. Log in to your Abiquo and Go to the Users tab.

2. Create a new enterprise with the desired scope,i.e. ExternalEnterprise with Global Scope:
   

3. Image Added

   After the new enterprise is created go to the Roles tab and create a new role inside this enterprise, give it a name, and fill in External Roles with the name the users in Okta will have as their Title, i.e.: External_role:
   

   Image Added

   Note: The role Name is Abiquo side only, so it does not matter that much. The external role is the value that will be checked against what comes from Okta in the abq-role attribute claim.

4. Save the new role, assign desired privileges to the role, and save the changes.

Set up Okta integration

1. Log in to Okta with Google account or email at: https://developer.okta.com/login or create a new account at: https://developer.okta.com/signup/ (Free developer edition)

Create an Application

2. Go to Applications→ Applications

3. Click Create App integration

4. Choose SAML 2.0 from the list and Next

5. Choose the Name, i.e Abiquo-test, Next

6. Set Single sign-on URL: https://{$ENV_FQDN}:443/api/saml/SSO
   

...

2. i.e.: https://aleksandra-cleandistr-server.lab.abiquo.com:443/api/saml/SSO

3. Set Audience URI (SP Entity ID)

...

2. : https://{$ENV_FQDN}:443/api/saml/metadata
   i.e.: https://aleksandra-cleandistr-server.lab.abiquo.com:443/api/saml/metadata

3. In

...

2. the Attribute Statements (optional) section add the following: 

...

Select Next and Finish.

...

and click Next

9. Select any option for feedback and click Finish

10. In Settings→ Sign on methods, SAML 2.0 section of your application open the metadata link in the new tab, and save the page as idp_metadata.xml

...

3. Configure User claims

1. Go to Directory → People.

2. Select the user you want to configure

3. Select Assign Applications

4. Select Assign on the SAML Application previously created

5. Select Save and Go Back and Done

6. Select Profile tab

7. Select Edit and in attributes enter the following

   1. Username:  the givenname

   2. First Name: the name

   3. Last Name: the surname

   4. Primary email: the email

   5. Title: the abq-role (the external role configured in your environment)

   6. Department: the abq-enterprise (the enterprise you want the user to sign in in your environment)

8. Select Save

4. Configure Abiquo

1. Create the abq-enterprise that you want the user to sign in to.

2. Create the role and for the External roles, enter the abq-role that you want to assign to the user.

3. On the Abiquo Server, configure the abiquo.properties file :

...

9. , do not close the tab yet
   

   Image Added

10. From the metadata page, note down the entityID value, i.e.: http://www.okta.com/exkezXXXXXXXX45d7 we will use it later to configure Abiquo.

    Image Added

    Now you can close the tab.

Important: You cannot have a slash ‘/’ at the end!

12. Go to the SAML Signing Certificates section of your application and download the currently active certificate:
    

...

Create an Identity Provider

13. Go to Security→ Identity providers

14. Click ‘Add identity’ provider

15. Choose SAML 2.0 idP from the list and confirm

16. Set the Name to your idP, i.e. Abiquo

17. In the Authentication Settings set IdP username to idpuser.subjectNameId

18. In the SAML Protocol Settings section set:
    IdP Issuer URI enter https://{$ENV_FQDN}:443/api/saml/metadata
    IdP Single Sign-On URL enter https://{$ENV_FQDN}:443/api/saml/SSO
    Destination enter https://{$ENV_FQDN}):443/api/saml/SSO

19. As IdP Signature Certificate point to the certificate you downloaded from your application in step 12. and Finish

Assign the Application to the user

20. Go to the Directory menu-> People

21. Click on your user and in the Applications tab Assign Application

22. Click on the Assign link next to your application name and Save and Go back, Done

23. Go to the Profile tab of your user and Edit

24. In the Title enter the External role name of the new role you created in Abiquo system, i.e. External_role.

25. In the Department field enter the name of the Enterprise you created in Abiquo system, i.e. ExternalEnterprise

26. Save the Profile changes

Configure your Abiquo API server

27. On the Abiquo API server, go to /opt/abiquo/config/saml (if this folder does not exist, then create it). Create a keystore.jks with the alias and password specified in the properties, for example: 

keytool -genkeypair -v -keystore keystore.jks -storepass changeit -alias Test -keypass changeit -keyalg RSA -keysize 2048 -validity 10000

28. Upload the idp_metadata.xml file downloaded from the SAML application in step 10. to the /opt/abiquo/config/saml folder.

29. Edit your /opt/abiquo/config/abiquo.properties and add the following configuration for Okta SAML, remember to change the respective values:

abiquo.auth.module = saml

#SAML
abiquo.saml.mode = multi
abiquo.login.samesite = strict

# Mandatory property to control the maximum time in seconds that users can use
# SAML single sign-on after their initial authentication with the IDP.
# The default represents 24 days.
abiquo.saml.authentication.maxage = 2073600

abiquo.saml.redirect.endpoint = https://{$ENV_FQDN}/ui
abiquo.saml.redirect.error.endpoint = https://{$ENV_FQDN}/ui/?error

abiquo.saml.keys.keystore.path = /opt/abiquo/config/saml/Keystorekeystore.jks
abiquo.saml.keys.keystore.password = changeit
abiquo.saml.keys.signing.alias = Test
abiquo.saml.keys.signing.password = changeit
abiquo.saml.keys.encryption.alias = Test
abiquo.saml.keys.encryption.password = changeit
abiquo.saml.keys.metadata.sign = false

abiquo.saml.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect

abiquo.saml.metadata.mode = generated

# entityID from step 11.
abiquo.saml.metadata.identityprovider.default.id = http://www.okta.com/{$YOUR_ID}xxxxXXXxxx

# For >1 IDPs, add commas between XML paths
abiquo.saml.metadata.identityprovider.path = /opt/abiquo/config/saml/idp_metadata.xml

# For >1 IDPs, add commas between pairs of values
# your application metadata link from step 10.
abiquo.saml.metadata.identityprovider.userdomain.map = https://trialdel-8804901XXXXXXXXX.okta.com/app/{$YOUR_ID}xxxXXXxxx/sso/saml/metadata


abiquo.saml.attributes.role.claim = abq-role
abiquo.saml.attributes.enterprise.claims = abq-enterprise
abiquo.saml.attributes.user.id.claim = namegivenname
abiquo.saml.attributes.user.firstname.claim = givennamename
abiquo.saml.attributes.user.lastname.claim = surname
abiquo.saml.attributes.user.email.claim = emailaddress

...

On the Abiquo Server, go to /opt/abiquo/config/saml (if this folder does not exist, then create it). Create a keystore.jks with the alias and password specified in the properties, for example: 

keytool -genkeypair -v -keystore Keystore.jks -storepass changeit -alias Test -keypass changeit -keyalg RSA -keysize 2048 -validity 10000

...

30. Edit /var/www/html/ui/config/client-config-custom.json and add the following configuration to allow SAML login:

"client.login.modules": [
      {
          "label": "Basic Auth",
          "description": "Basic Auth login",
          "templateUrl": "modules/login/authenticationmodules/basicauthentication/partials/basicauthenticationloginview.html",
          "cookieName": ""
      },
      {
          "label": "SAML",
          "description": "SAML login",
          "templateUrl": "modules/login/authenticationmodules/saml/partials/samlloginview.html",
          "cookieName": "ABQSAMLTOKENS"
      }
  ]

31. Restart your abiquo-tomcat service