Versions Compared

Old Version 10

changes.mady.by.user Aleksandra Nowotna

Saved on

compared with

New Version Current

changes.mady.by.user Aleksandra Nowotna

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents

...

Prepare Abiquo enterprise and role

  1. Log in to your Abiquo and Go to the Users tab.

  2. Create a new enterprise with the desired scope,i.e. ExternalEnterprise with Global Scope:

  3. Image RemovedImage Added

    After the new enterprise is created go to the Roles tab and create a new role inside this enterprise, give it a name, and fill in External Roles with the name the users in Okta will have as their Title, i.e.: External_role:

    Image RemovedImage Added

    Note: The role Name is Abiquo side only, so it does not matter that much. The external role is the value that will be checked against what comes from Okta in the abq-role attribute claim.

  4. Save the new role, assign desired privileges to the role, and save the changes.

...

Set up Okta integration

1. Create an Application

  1. Log in to Okta with Google account or email at: https://developer.okta.com/login or create a new account at: https://developer.okta.com/signup/ (Free developer edition)

...

  1. Go to Applications→ Applications

  2. Click Create App integration

  3. Choose SAML 2.0 from the list and Next

  4. Choose the Name, i.e Abiquo-test, Next

  5. Set Single sign-on URL: https://{$ENV_FQDN}:443/api/saml/SSO
    i.e.: https://aleksandra-cleandistr-server.lab.abiquo.com:443/api/saml/SSO

  6. Set Audience URI (SP Entity ID): https://{$ENV_FQDN}:443/api/saml/metadata
    i.e.: https://aleksandra-cleandistr-server.lab.abiquo.com:443/api/saml/metadata

  7. In the Attribute Statements (optional) section add the following: 

...

  1. Select any option for feedback and click Finish

  2. In Settings→ Sign on methods, SAML 2.0 section of your application open the metadata link in the new tab, and save the page as idp_metadata.xml, do not close the tab yet

    Image RemovedImage Added

  3. From the metadata page, note down the entityID value, i.e.:http://www.okta.com/exkezXXXXXXXX45d7 we will use it later to configure Abiquo.

    Image RemovedImage Added

    Now you can close the tab.

...

  1. Go to the SAML Signing Certificates section of your application and download the currently active certificate:

...

2.

...

Create an Identity Provider

  1. Go to Security→ Identity providers

  2. Click ‘Add identity’ provider

  3. Choose SAML 2.0 idP from the list and confirm

  4. Set the Name to your idP, i.e. Abiquo

  5. In the Authentication Settings set IdP username to idpuser.subjectNameId

  6. In the SAML Protocol Settings section set:
    IdP Issuer URI enter https://{$ENV_FQDN}:443/api/saml/metadata
    IdP Single Sign-On URL enter https://{$ENV_FQDN}:443/api/saml/SSO
    Destination enter https://{$ENV_FQDN}):443/api/saml/SSO

  7. As IdP Signature Certificate point to the certificate you downloaded from your application in step 12. and Finish

...

3. Assign the Application to the user

  1. Go to the Directory menu-> People

  2. Click on your user and in the Applications tab Assign Application

  3. Click on the Assign link next to your application name and Save and Go back, Done

  4. Go to the Profile tab of your user and Edit

  5. In the Title enter the External role name of the new role you created in Abiquo system, i.e. External_role.

  6. In the Department field enter the name of the Enterprise you created in Abiquo system, i.e. ExternalEnterprise

  7. Save the Profile changes

...

4. Configure your Abiquo API server

  1. On the Abiquo API server, go to /opt/abiquo/config/saml (if this folder does not exist, then create it). Create a keystore.jks with the alias and password specified in the properties, for example: 

...

Code Block
abiquo.auth.module = saml

#SAML
abiquo.saml.mode = multi
abiquo.login.samesite = strict

# Mandatory property to control the maximum time in seconds that users can use
# SAML single sign-on after their initial authentication with the IDP.
# The default represents 24 days.
abiquo.saml.authentication.maxage = 2073600
abiquo.saml.redirect.endpoint = https://{$ENV_FQDN}/ui
abiquo.saml.redirect.error.endpoint = https://{$ENV_FQDN}/ui/?error

abiquo.saml.keys.keystore.path = /opt/abiquo/config/saml/keystore.jks
abiquo.saml.keys.keystore.password = changeit
abiquo.saml.keys.signing.alias = Test
abiquo.saml.keys.signing.password = changeit
abiquo.saml.keys.encryption.alias = Test
abiquo.saml.keys.encryption.password = changeit
abiquo.saml.keys.metadata.sign = false

abiquo.saml.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
abiquo.saml.metadata.mode = generated

# entityID from step 11.
abiquo.saml.metadata.identityprovider.default.id = http://www.okta.com/xxxxXXXxxx

# For >1 IDPs, add commas between XML paths
abiquo.saml.metadata.identityprovider.path = /opt/abiquo/config/saml/idp_metadata.xml

# For >1 IDPs, add commas between pairs of values
# your application metadata link from step 10.
abiquo.saml.metadata.identityprovider.userdomain.map = https://deldev-XXXXXXXXX.okta.com/app/xxxXXXxxx/sso/saml/metadata

abiquo.saml.attributes.role.claim = abq-role
abiquo.saml.attributes.enterprise.claims = abq-enterprise
abiquo.saml.attributes.user.id.claim = givenname
abiquo.saml.attributes.user.firstname.claim = name
abiquo.saml.attributes.user.lastname.claim = surname
abiquo.saml.attributes.user.email.claim = emailaddress

...