...
Table of Contents |
---|
Info |
---|
This document describes how to configure the SAML integration to log in the platform with SAML SSO using SAML 2.0. |
all of this documentation before |
you start to configure your environment. |
Table of Contents |
---|
...
start-numbering-at | h2 |
---|
Configure enterprise and role binding
The first time a SAML SSO login is successful, the Abiquo API will need to create a user in the platform. This user requires an enterprise and a role, so do these steps to configure enterprise and role binding.
In Abiquo create enterprises with Names or enterprise propertyKeys that will match the values of SAML attributes.
On the Abiquo Server, set the abiquo.saml.attributes.enterprise.claims property to specify the SAML attributes to match. Abiquo will get the values of these attributes and search for an enterprise name or enterprise property with this key to match the SAML values.
In Abiquo create roles and set the External roles value to match the value of one or more SAML attributes. One Abiquo role can match multiple external roles, but each external role should only match one Abiquo role.
On the Abiquo Server, set the abiquo.saml.attributes.role.claim property to specify the SAML attribute to match the roles
Matching examples
abiquo.saml.attributes.enterprise.claims = example
the API will get the value of the attribute "example" from the SAML Response. It will try to find an Abiquo enterprise with the same name. If it can't find an enterprise, it will look for an enterprise with a property key called "example" that has a property value that matches the SAML Response value.
abiquo.saml.attributes.enterprise.claims = organization,acc_id:account
the API will get the value of the attributes organization and acc_id. It will try to find an enterprise with a name that matches one of these values. If it can't find an enterprise, it will search by properties, and return the enterprise that has the property organization with the value from the SAML Response and the property account with the value from the SAML Response.
Enable SAML authentication mode
Abiquo integrates different authentication options and the default authentication mode is "abiquo", which is basic authentication for users stored in the Abiquo database.
To enable SAML in Abiquo:
On the Abiquo Server, set the abiquo.auth.module property to a value of "saml".
Before you start the Abiquo API again, complete the configuration in the follow sections to ensure that Abiquo API will start successfully.
Configure login modules in the UI
...
Property
...
Description
...
client.
...
Configure Abiquo modules to log in with Basic Auth (default), Open ID, SAML, or SAML + user.
For the initial SAML configuration, use SAML. When you add multiple IdPs, use SAML + user.
See client-config-default.json for details.
...
client.skip.login.view
...
By default, when in OpenID or SAML mode, Abiquo shows an initial screen with a link to the Authentication portal.
If this property is set to true, then Abiquo will not display the initial screen and will redirect users directly to the Authentication portal.
Configure SameSite flag of login cookie
...
Configure the maximum authentication age
On the Abiquo server set the abiquo.saml.authentication.maxage property to control the maximum time in seconds that users can use SAML single sign-on after their initial authentication with the IDP. The default value is 2073600 seconds, which is 24 days.
Configure SAML identity provider
To enable Abiquo to identify and trust the SAML SSO Server (aka Identity Provider or IdP):
...
Get the IdP metadata and save it on the Abiquo Server
...
On the Abiquo Server, set the following property pointing to this file:
abiquo.saml.metadata.identityprovider.path=/opt/abiquo/config/saml/identityprovider_metadata.xml
...
Configure the Abiquo API as a SAML service provider
To configure Abiquo to act as a SAML Service Provider (SP) that can sign and encrypt SAML requests:
Create a dedicated keystore with the keys that Abiquo will need for signing and encrypting.
Configure the details of the keystore in Abiquo with the following properties:
abiquo.saml.keys.keystore.path=/op/abiquo/config/saml/saml_keystore.jks
abiquo.saml.keys.keystore.password=the_keystore_password
abiquo.saml.keys.metadata.sign=true
abiquo.saml.keys.signing.alias=alias_for_signing_key
abiquo.saml.keys.signing.password=password_for_signing_key
abiquo.saml.keys.encryption.alias=alias_for_encryption_key
abiquo.saml.keys.encryption.password=password_for_encryption_key
To configure the type of binding that the API will offer for the IdP, set the following property:
abiquo.saml.binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
We recommend that you use the same binding type as the IdP.
To configure the browser redirect to the Abiquo environment after a successful login, set the following property:
abiquo.saml.redirect.endpoint=https://<your-environment>/ui
Optionally generate the service provider metadata
If you do not have an SP metadata XML file, you can generate one using the Abiquo API.
Configure the SP properties as described in the above steps.
On the Abiquo Server, set the following properties with these values
abiquo.saml.metadata.mode=generated
abiquo.saml.metadata.serviceprovider.path= # can be left empty because it is not used
abiquo.saml.mode=multi
Start the Abiquo API
Log in as an administrator user (with the PHYS_DC_MANAGE privilege)
Perform an authenticated request to the path /api/saml/metadata
Save the metadata response in a file
...
The API SAML metadata path is always enabled but it returns "provided" or "generated" metadata, depending on the value of the metadata.mode property.
This path is protected, so the property abiquo.saml.mode=multi allows the API to enable basic authentication and SAML SSO authentication.
This means that even if the SAML authentication is not already finished, you'll be able to perform the request with basic auth.
After you obtain the SP metadata, do these steps:
Add the metadata XML file to the IdP
Provide the SP metadata to the Abiquo API as described below
We also recommend that you do these additional steps
Disable basic authentication. To do this, set the abiquo.saml.mode property to single (or just delete it because single is the default value).
Configure the API to use the "provided" metadata file and stop the API from generating metadata each time you restart it. To do this, set the abiquo.saml.metadata.mode property to "provided"
Provide the SP metadata to the service provider and the identity provider
The Abiquo API (SP) and the SAML IdP require the SP metadata XML file. To configure the SP metadata XML file for the Abiquo API:
Save the SP metadata XML file on the Abiquo Server
Add the following properties:
abiquo.saml.metadata.serviceprovider.path=/opt/abiquo/config/saml/serviceprovider_metadata.xml
abiquo.saml.metadata.mode=provided
Your environment is now ready to use SAML SSO, just start the API and open the user interface in the browser.
Optionally configure custom login error messages for SAML
By default, when there is a login error, the UI displays a generic error view and the user can return to the main login screen.
To display custom error messages, configure the redirect to add an error parameter.
On the Abiquo API Server, set the abiquo.saml.redirect.error.endpoint to point to your UI server and add an error code as follows:
Then for each error code, create a UI label with the error message text. For example, for US English, in lang_en_US_custom.json, you could create a label as follows:
Optionally configure a SAML enterprise pool
If you will only be using a single identity provider, you can enable users to log in to an enterprise pool of enterprises with the same enterprise claim value.
The login process will select the first matching enterprise from the pool.
To configure this option, set the following property.
...
Configure your SAML identity provider
We assume that you are already using SAML and that you already have your own IdP configuration.
Note |
---|
We provide some basic instructions to illustrate our example with IdP claims and to give a better picture of our SAML configuration.
|
To configure Azure Active Directory as an IdP for Abiquo testing:
Go to Azure portal (https://portal.azure.com)
Create an Azure Active Directory
For the Organization use
Default Directory
For the Domain use
MY_ORG.onmicrosoft.com
and replace MY_ORG with your organization name
Switch to the directory and create an Application
Go to Enterprise applications
Click Create your own application
Select the Integrate any other application you don't find in the gallery (Non-gallery) option
For the Name enter
samlidp
and click Create. Then wait for it to complete.
Go to Single sign-on, for the Authentication method, select SAML, and set the following values.
Basic SAML Configuration: add Abiquo URLs to authorize it as a client that can use this SAML IDP.
Identifier (Entity ID):
https://ABIQUO_FQDN:443/api/saml/metadata
ReplaceABIQUO_FQDN
with the domain name of your Abiquo serverReply URL (Assertion Consumer Service or ACS URL):
https://ABIQUO_FQDN:443/api/saml/SSO
ReplaceABIQUO_FQDN
with the domain name of your Abiquo serverSign on URL: Set an empty value
SAML Claims: create and set the claims you want to retrieve from AAD users in Abiquo.
For example:abq-enterprise:
user.department
abq-role:
user.jobtitle
user.userprincipalname
user.givenname
user.surname
user.mail
Go to the AAD organization main page and create SAML users.
Name: This will set the username in Abiquo
First Name
Last Name
Job title: This will set the user role in Abiquo, e.g.,
CLOUD_ADMIN_EXTERNAL
Department: This will set the enterprise in Abiquo, e.g.,
Abiquo
Add the users to the SAML IDP application we created before in order to authorize it to log in with SAML.
...
Create enterprises and roles for SAML
The first time a user logs in with SAML SSO, the Abiquo API will create the user’s account in the platform.
Before the user can log in, the administrator must create an Abiquo enterprise and role for the user and define their SAML attributes.
Log in to Abiquo as cloud admin
Go to Users
Create enterprises with Names or Properties to match the value of a SAML attribute. From our example above, we will match the SAML Department attribute
Enterprise Name:
Abiquo
OR if your enterprise names do not match SAML attributes, create or edit an enterprise, go to Properties and create a property to match.
Edit an enterprise (for example, Name =
My favorite enterprise
)Create an Enterprise property
Key:
department
Value:
Abiquo
Go to Roles
Create roles with External roles to match the value of a SAML attribute. From our example above, we will match Job title:
Role Name:
CLOUD_ADMIN_EXTERNAL
External roles:
CLOUD_ADMIN_EXTERNAL
...
Configure SAML on Abiquo server
To configure SAML on the Abiquo server:
Log in to the Abiquo server as the system administrator
Create a folder to store the configuration
Code Block mkdir /opt/abiquo/config/saml
Download the federation metadata XML file for your configuration. This may be from a link like:
https://login.microsoftonline.com/<TenantDomainName>/FederationMetadata/2007-06/FederationMetadata.xml
See https://learn.microsoft.com/en-us/azure/active-directory/azuread-dev/azure-ad-federation-metadata#federation-metadata-endpointsCreate a metadata file for the identity provider, for example, at
/opt/abiquo/config/saml/idp_metadata.xml
and edit this file.Open the metadata XML file, and copy the
EntityDescriptor
bracket with only theIDPSSODescriptor
bracket inside it. Paste it in your metadata file for the entity provider.
It should look something like this but with different values for your identity provider.Code Block <?xml version="1.0" encoding="utf-8"?> <EntityDescriptor ID="_d75abe92_blah" entityID="https://sts.windows.net/d123456-blah/" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"> <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> ... </IDPSSODescriptor> </EntityDescriptor>
The
entityID
should be the value from your file. It may be something like this:https://sts.windows.net/d12345678-123e-49321-1234-1234abcd567890/
The
EntityDescriptor ID
should also be the value from your file.
Edit
/var/www/html/ui/config/client-config-custom.json
and add the following configuration to allow SAML login.Code Block "client.login.modules": [ { "label": "Basic Auth", "description": "Basic Auth login", "templateUrl": "modules/login/authenticationmodules/basicauthentication/partials/basicauthenticationloginview.html", "cookieName": "" }, { "label": "SAML", "description": "SAML login", "templateUrl": "modules/login/authenticationmodules/saml/partials/samlloginview.html", "cookieName": "ABQSAMLTOKENS" } ]
Edit
/opt/abiquo/config/abiquo.properties
and configure the following properties.Code Block abiquo.auth.module = saml abiquo.saml.mode = multi abiquo.login.samesite = strict # Mandatory property to control the maximum time in seconds that users can use # SAML single sign-on after their initial authentication with the IDP. # The default represents 24 days. abiquo.saml.authentication.maxage = 2073600 abiquo.saml.redirect.endpoint = https://ABIQUO_FQDN/ui abiquo.saml.redirect.error.endpoint = https://ABQIUO_FQDN/ui/?error abiquo.saml.keys.keystore.path = /opt/abiquo/config/saml/MY_SAML_KEYSTORE abiquo.saml.keys.keystore.password = MY_SAML_KEYSTORE_PASSWORD abiquo.saml.keys.signing.alias = MY_SAML_APP_NAME abiquo.saml.keys.signing.password = MY_SAML_KEY_PASSWORD abiquo.saml.keys.encryption.alias = MY_SAML_APP abiquo.saml.keys.encryption.password = MY_SAML_KEY_PASSWORD abiquo.saml.keys.metadata.sign = false abiquo.saml.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect abiquo.saml.metadata.mode = generated #abiquo.saml.metadata.serviceprovider.path = /opt/abiquo/config/saml/sp_metadata.xml abiquo.saml.metadata.identityprovider.default.id = MY_ENTITY_ID # For >1 IDPs, add commas between XML paths abiquo.saml.metadata.identityprovider.path = /opt/abiquo/config/saml/idp_metadata.xml # For >1 IDPs, add commas between pairs of values abiquo.saml.metadata.identityprovider.userdomain.map = myorg.onmicrosoft.com=MY_ENTITY_ID # Set the claim names we have set up before in Azure AD abiquo.saml.attributes.role.claim = abq-role abiquo.saml.attributes.enterprise.claims = abq-enterprise abiquo.saml.attributes.user.id.claim = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name abiquo.saml.attributes.user.firstname.claim = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname abiquo.saml.attributes.user.lastname.claim = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname abiquo.saml.attributes.user.email.claim = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
The
#abiquo.saml.metadata.serviceprovider.path
property should be commented out because first you can generate the metadata and later provide it with the file saved at this pathReplace the following values with the values for your environment:
ABIQUO_FQDN
MY_SAML_KEYSTORE
MY_SAML_KEYSTORE_PASSWORD
MY_SAML_APP_NAME
MY_SAML_KEY_PASSWORD
MY_SAML_APP
MY_SAML_KEY_PASSWORD
MY_ENTITY_ID
: you can get this from the Azure federation XML. It may be something likehttps://sts.windows.net/d12345678-123e-49321-1234-1234abcd567890/
Create a keystore with the above keystore values.
Code Block cd /opt/abiquo/config/saml keytool -genkey -v -keystore MY_SAML_KEYSTORE -storepass MY_SAML_KEYSTORE_PASSWORD -alias MY_SAML_APP_NAME -keypass MY_SAML_KEY_PASSWORD -keyalg RSA -keysize 2048 -validity 10000
(In our test system we are used the one value for the signing and encryption password as
MY_SAML_KEY_PASSWORD)
Restart the Abiquo API
Check that the API works and has started successfully by logging in to Abiquo with basic auth as
admin
...
Configure Abiquo as the service provider
To configure Abiquo as a service provider, obtain the metadata, save it to a file, and then enable the use of provided data.
Log in the Abiquo API server as an administrator
Generate the SP metadata:
Code Block curl -k -u ADMIN_USER:ADMIN_PASSWORD https://ABIQUO_FQDN:443/api/saml/metadata \ > /tmp/curl_sp_metadata.xml
Replace
ADMIN_USER
,ADMIN_PASSWORD
, andABIQUO_FQDN
with values for your environmentSave it to your SAML configuration folder
Code Block xmllint --format /tmp/curl_sp_metadata.xml > /opt/abiquo/config/saml/sp_metadata.xml
Edit the
abiquo.properties
file and set the values as followsCode Block abiquo.saml.metadata.mode = provided abiquo.saml.metadata.serviceprovider.path = /opt/abiquo/config/saml/sp_metadata.xml
Restart the Abiquo API
Check that the API works and has started successfully by logging in with SAML
Username:
USER_NAME@MY_ORG.onmicrosoft.com
Additional configuration
We recommend that you do these additional steps
Add the metadata XML file to the IdP
Disable basic authentication. To do this, set the
abiquo.saml.mode
property tosingle
(or just delete it becausesingle
is the default value).
...
Configure custom login error messages for SAML
By default, when there is a login error, the UI displays a generic error view and the user can return to the main login screen.
Optionally, to display custom error messages, configure the redirect to add an error parameter.
On the Abiquo API Server, set the abiquo.saml.redirect.error.endpoint
to point to your UI server and add an error code as follows:
Code Block |
---|
abiquo.saml.redirect.error.endpoint = https://your.env.com/ui/?error=ERROR_CODE |
Then for each error code, create a UI label with the error message text. For example, for US English, in lang_en_US_custom.json
, you could create a label as follows:
Code Block |
---|
"login.error.SAMLERROR2": "Login failed!", |
For details of more customizations, see Customize UI login errors.
...
Configure a SAML enterprise pool
Optionally, if you will only be using a single identity provider, you can enable users to log in to an enterprise pool of enterprises with the same enterprise claim value.
The login process will select the first matching enterprise from the pool.
To configure this option, set the following property.
Code Block |
---|
abiquo.saml.login.allow.enterprise.pool = true |
...
Add multiple identity providers for SAML
You can configure more than one identity provider for SAML. With the configuration, when the user enters their email address to log in, Abiquo will select the IdP based on its domain name, or it will use the default IdP.
Abiquo still uses the same IdP configuration for all providers, for example, it will search for the same abq-role
attribute to match an Abiquo role.
To configure an existing SAML integration with more IdPs, do these steps on the Abiquo Server:
Save the metadata for the new IdPs, as for the first IdP
For the default IdP, edit the metadata and set the Default attribute
Edit the
abiquo.properties
file to make these changes:Add the paths to the metadata of the new IdPs as a comma separated list to the
abiquo.saml.metadata.identityprovider.path
propertyTo set the default IdP, add the new
abiquo.saml.metadata.identityprovider.default.id
propertyTo map the user email domains to IdPs, set the new
abiquo.saml.metadata.identityprovider.userdomain.map
property with a comma separated list of keys and values. For example:Code Block abiquo.saml.metadata.identityprovider.userdomain.map = example.com=https://sts.example.com/ffff2108-833e-4940-87e6-3d39ce9adb70/,abiquo.com=https://idp.example.com
Do not use a comma
,
in a key or a value
Do not use use an equals sign=
in the key
Share the Abiquo SP data with the new IdPs
On the UI server, edit the
client-config-custom.json
file and change theclient.login.module
property fromSAML
toSAML + user
.
For more details, see the examples in client-config-default.json file.
For this feature, there is a new /saml/idp
endpoint in the Abiquo API where the UI will send a GET request with the user domain. This endpoint will return a redirect to the usual /saml/login
endpoint with the appropriate IdP. Then the login will continue as for a single IdP.
Note |
---|
When you enable this feature, Abiquo will change the XML security metadata of the Abiquo application. Abiquo will add the beans for new IdPs and mark the default IdP in the metadata configuration of
|
...
About enterprise and role binding
The Abiquo API can get the user’s SAML attributes, select the correct role, and assign it to the user. This is called enterprise and role binding.
Here are some examples of how Abiquo can match SAML attributes for enterprises:
abiquo.saml.attributes.enterprise.claims = example
The API will get the value of the
example
attribute from the SAML Response. It will try to find an Abiquo enterprise with the same name. If it can't find an enterprise, it will look for an enterprise with an enterprise property key calledexample
that has a property value that matches the SAML Responseexample
attribute value.
abiquo.saml.attributes.enterprise.claims = organization,acc_id:account
The API will get the value of the
organization
andacc_id
attributes from the SAML Response. It will try to find an enterprise with a name that matches one of these values. If it can't find an enterprise, it will search the enterprise properties. It will return the enterprise that has the propertyorganization
with the value from the SAML Response andacc_id
property with the value ofaccount
from the SAML Response.
...
Table of Abiquo configuration properties for SAML
Key | Description | Required | Role | ||||||
---|---|---|---|---|---|---|---|---|---|
| Sets the authentication module to use in the Abiquo Platform. | Yes |
| ||||||
| Control the value of the SameSite flag of the login cookie. | No |
| ||||||
|
Required to start SAML and Abiquo Maximum time in seconds the system allows users to use SAML single sign-on after their initial authentication with the IDP. | Required to start SAML |
|
| ||||||||
| Indicates the SAML mode to use.
| No |
|
| ||||||||
| URI redirect for a successful Abiquo login using SAML SSO. | Yes |
|
| ||
| URI redirect for an unsuccessful Abiquo login using SAML SSO. This has to be set to a |
query parameter, " | No |
|
| ||||||||
| Indicates if the SP metadata is provided or must be generated by the API.
| No |
|
| |||||||||
| Indicates the location of the SP metadata to load. | Only if |
| ||||||
| Indicates the location of the IdP metadata to load. | Yes |
| ||||||
| If |
|
A comma-separated list with the binding names | No |
|
|
| ||
|
|
|
If abiquo.saml.metadata.mode is set to generated, this property will indicate which binding must be allowed.
Accepts: A comma-separated list with the binding names
No
Default: POST, Artifact
| Indicates the location of the Java keystore from which to extract the keys to sign and/or encrypt the SAML requests. | Yes |
|
| ||||||
| The password to unlock the Java keystore from location indicated by | Yes |
|
|
| ||
|
|
Accepts: Any location path of the file to read
| The alias of the key to use for signing SAML Requests | Yes |
|
| ||
|
| The password |
of the key to use for signing SAML Requests | Yes |
|
| ||
|
| The alias of the key to use for |
encryption of SAML Requests | Yes |
|
| ||
|
| The password of the key to use for |
Accepts: any stringYes
encryption of SAML Requests | Yes |
| ||||||||||||
| Indicates if the SAML Requests must be signed. | No |
|
| ||
|
Accepts: any string
| Indicates the binding profile to allow. | Yes |
|
|
| ||
|
The password of the key to use for encryption of SAML Requests
| Indicates which SAML Response attribute must identify a unique user; if not set up, the principal will be used. | No |
|
|
| ||
|
|
|
| Indicates |
which SAML |
Response attribute must be |
Accepts: a boolean
No
Default: false
read to find the role to assign to the user during a successful login. | Yes |
| ||||||
|
Accepts: the SAML binding profile's URN
| Indicates which SAML Response attributes must be read to find the enterprise to assign to the user during a successful login. Matches an enterprise name or an enterprise property key. | Yes |
| ||||||
|
| Indicates which |
attribute must |
be read to find the user name. | No |
Default: |
| ||||||
|
| Indicates which |
attribute must be read to find the |
user last name. | No |
Default: |
| ||||||
|
|
| Indicates which |
attribute must be read |
Accepts: a comma-separated list of the claim attributes, with an optional enterprise property key separated by a colon.
Pattern: <saml-attr1>:<ent-prop1>,<saml-attr2>:<ent-prop2>Yes
in order to find the user email. | No |
| |||||||
| Allow the use of multiple enterprises with the same enterprise claim property as a pool. Will assign the user to the first enterprise match. Only valid for | No |
| ||||||
|
|
|
|
Indicates which attribute must be read to find the user name.
Accepts: any string
No
Default: FirstName
| Sets the default SAML IdP | Yes |
|
|
| ||
|
|
|
|
Indicates which attribute must be read to find the user last name.
Accepts: any string
Default: LastName
| For multiple IdPs, map the user domains to the IdPs | Yes, for multiple IdPs |
|
|
abiquo.saml.attributes.user.email.claim
Indicates which attribute must be read in order to find the user email.
Accepts: any string
No
Default: EmailAddress
Status | ||||
---|---|---|---|---|
|
abiquo.saml.login.allow.enterprise.pool
Allow the use of multiple enterprises with the same enterprise claim property as a pool. Will assign the user to the first enterprise match. Only valid for "SAML" mode, not for "SAML + user" (multiple IDPs).
Accepts: boolean
No
Default: false
Status | ||||
---|---|---|---|---|
|
abiquo.saml.metadata.identityprovider.default.id
Sets the default SAML IdP
Accepts: The entityID attribute of the default IdP from its metadata
Yes
Status | ||||
---|---|---|---|---|
|
abiquo.saml.metadata.identityprovider.userdomain.map
For multiple IdPs, map the user domains to the IdPs
Accepts: Comma separated list of email address domains and IdPs
Yes, for multiple IdPs
|
...
Table of UI properties for SAML
For SAML, you can configure the following UI configuration properties in client-config-custom.json
. See Configure Abiquo UI for more details.
Property | Description |
---|---|
| Configure Abiquo modules to log in with
You can copy the options from |
| By default, when in |