...
Log in to your Abiquo and Go to the Users tab.
Create a new enterprise with the desired scope,i.e. ExternalEnterprise with Global Scope:
After the new enterprise is created go to the Roles tab and create a new role inside this enterprise, give it a name, and fill in External Roles with the name the users in Okta will have as their Title, i.e.: External_role:
Note: The role Name is Abiquo side only, so it does not matter that much. The external role is the value that will be checked against what comes from Okta in the abq-role attribute claim.
Save the new role, assign desired privileges to the role, and save the changes.
...
Go to Applications→ Applications
Click Create App integration
Choose SAML 2.0 from the list and Next
Choose the Name, i.e Abiquo-test, Next
Set Single sign-on URL:
https://{$ENV_FQDN}:443/api/saml/SSO
i.e.:https://aleksandra-cleandistr-server.lab.abiquo.com:443/api/saml/SSO
Set Audience URI (SP Entity ID):
https://{$ENV_FQDN}:443/api/saml/metadata
i.e.:https://aleksandra-cleandistr-server.lab.abiquo.com:443/api/saml/metadata
In the Attribute Statements (optional) section add the following:
...
Select any option for feedback and click Finish
In Settings→ Sign on methods, SAML 2.0 section of your application open the metadata link in the new tab, and save the page as
idp_metadata.xml
, do not close the tab yetFrom the metadata page, note down the entityID value, i.e.:
http://www.okta.com/exkezXXXXXXXX45d7
we will use it later to configure Abiquo.Now you can close the tab.
...
Go to Security→ Identity providers
Click ‘Add identity’ provider
Choose SAML 2.0 idP from the list and confirm
Set the Name to your idP, i.e. Abiquo
In the Authentication Settings set IdP username to
idpuser.subjectNameId
In the SAML Protocol Settings section set:
IdP Issuer URI enterhttps://{$ENV_FQDN}:443/api/saml/metadata
IdP Single Sign-On URL enterhttps://{$ENV_FQDN}:443/api/saml/SSO
Destination enterhttps://{$ENV_FQDN}):443/api/saml/SSO
As IdP Signature Certificate point to the certificate you downloaded from your application in step 12. and Finish
...
Code Block |
---|
abiquo.auth.module = saml #SAML abiquo.saml.mode = multi abiquo.login.samesite = strict # Mandatory property to control the maximum time in seconds that users can use # SAML single sign-on after their initial authentication with the IDP. # The default represents 24 days. abiquo.saml.authentication.maxage = 2073600 abiquo.saml.redirect.endpoint = https://{$ENV_FQDN}/ui abiquo.saml.redirect.error.endpoint = https://{$ENV_FQDN}/ui/?error abiquo.saml.keys.keystore.path = /opt/abiquo/config/saml/keystore.jks abiquo.saml.keys.keystore.password = changeit abiquo.saml.keys.signing.alias = Test abiquo.saml.keys.signing.password = changeit abiquo.saml.keys.encryption.alias = Test abiquo.saml.keys.encryption.password = changeit abiquo.saml.keys.metadata.sign = false abiquo.saml.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect abiquo.saml.metadata.mode = generated # entityID from step 11. abiquo.saml.metadata.identityprovider.default.id = http://www.okta.com/xxxxXXXxxx # For >1 IDPs, add commas between XML paths abiquo.saml.metadata.identityprovider.path = /opt/abiquo/config/saml/idp_metadata.xml # For >1 IDPs, add commas between pairs of values # your application metadata link from step 10. abiquo.saml.metadata.identityprovider.userdomain.map = https://deldev-XXXXXXXXX.okta.com/app/xxxXXXxxx/sso/saml/metadata abiquo.saml.attributes.role.claim = abq-role abiquo.saml.attributes.enterprise.claims = abq-enterprise abiquo.saml.attributes.user.id.claim = givenname abiquo.saml.attributes.user.firstname.claim = name abiquo.saml.attributes.user.lastname.claim = surname abiquo.saml.attributes.user.email.claim = emailaddress |
...