...
Log in to the Abiquo server as the system administrator
Create a folder to store the configuration
Code Block mkdir /opt/abiquo/config/saml
Download the federation metadata XML file for your configuration. This may be from a link like:
https://login.microsoftonline.com/<TenantDomainName>/FederationMetadata/2007-06/FederationMetadata.xml
See https://learn.microsoft.com/en-us/azure/active-directory/azuread-dev/azure-ad-federation-metadata#federation-metadata-endpointsCreate a metadata file for the identity provider, for example, at
/opt/abiquo/config/saml/idp_metadata.xmland edit this file.Open the metadata XML file, and copy the
EntityDescriptorbracket with only theIDPSSODescriptorbracket inside it. Paste it in your metadata file for the entity provider.
It should look something like this but with different values for your identity provider.Code Block <?xml version="1.0" encoding="utf-8"?> <EntityDescriptor ID="_d75abe92_blah" entityID="https://sts.windows.net/d123456-blah/" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"> <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> ... </IDPSSODescriptor> </EntityDescriptor>The
entityIDshould be the value from your file. It may be something like this:https://sts.windows.net/d12345678-123e-49321-1234-1234abcd567890/The
EntityDescriptor IDshould also be the value from your file.
Edit
/var/www/html/ui/config/client-config-custom.jsonand add the following configuration to allow SAML login.Code Block "client.login.modules": [ { "label": "Basic Auth", "description": "Basic Auth login", "templateUrl": "modules/login/authenticationmodules/basicauthentication/partials/basicauthenticationloginview.html", "cookieName": "" }, { "label": "SAML", "description": "SAML login", "templateUrl": "modules/login/authenticationmodules/saml/partials/samlloginview.html", "cookieName": "ABQSAMLTOKENS" } ]Edit
/opt/abiquo/config/abiquo.propertiesand configure the following properties.Code Block abiquo.auth.module = saml abiquo.saml.mode = multi abiquo.login.samesite = strict # Mandatory property to control the maximum time in seconds that users can use # SAML single sign-on after their initial authentication with the IDP. # The default represents 24 days. abiquo.saml.authentication.maxage = 2073600 abiquo.saml.redirect.endpoint = https://ABIQUO_FQDN/ui abiquo.saml.redirect.error.endpoint = https://ABQIUO_FQDN/ui/?error abiquo.saml.keys.keystore.path = /opt/abiquo/config/saml/MY_SAML_KEYSTORE abiquo.saml.keys.keystore.password = MY_SAML_KEYSTORE_PASSWORD abiquo.saml.keys.signing.alias = MY_SAML_APP_NAME abiquo.saml.keys.signing.password = MY_SAML_KEY_PASSWORD abiquo.saml.keys.encryption.alias = MY_SAML_APP abiquo.saml.keys.encryption.password = MY_SAML_KEY_PASSWORD abiquo.saml.keys.metadata.sign = false abiquo.saml.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect abiquo.saml.metadata.mode = generated #abiquo.saml.metadata.serviceprovider.path = /opt/abiquo/config/saml/sp_metadata.xml abiquo.saml.metadata.identityprovider.default.id = MY_ENTITY_ID # For >1 IDPs, add commas between XML paths abiquo.saml.metadata.identityprovider.path = /opt/abiquo/config/saml/idp_metadata.xml # For >1 IDPs, add commas between pairs of values abiquo.saml.metadata.identityprovider.userdomain.map = myorg.onmicrosoft.com=MY_ENTITY_ID # Set the claim names we have set up before in Azure AD abiquo.saml.attributes.role.claim = abq-role abiquo.saml.attributes.enterprise.claims = abq-enterprise abiquo.saml.attributes.user.id.claim = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name abiquo.saml.attributes.user.firstname.claim = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname abiquo.saml.attributes.user.lastname.claim = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname abiquo.saml.attributes.user.email.claim = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressThe
#abiquo.saml.metadata.serviceprovider.pathproperty should be commented out because first you can generate the metadata and later provide it with the file saved at this pathReplace the following values with the values for your environment:
ABIQUO_FQDNMY_SAML_KEYSTOREMY_SAML_KEYSTORE_PASSWORDMY_SAML_APP_NAMEMY_SAML_KEY_PASSWORDMY_SAML_APPMY_SAML_KEY_PASSWORDMY_ENTITY_ID: you can get this from the Azure federation XML. It may be something likehttps://sts.windows.net/d12345678-123e-49321-1234-1234abcd567890/
Create a keystore with the above keystore values.
Code Block cd /opt/abiquo/config/saml keytool -genkey -v -keystore MY_SAML_KEYSTORE -storepass MY_SAML_KEYSTORE_PASSWORD -alias MY_SAML_APP_NAME -keypass MY_SAML_KEY_PASSWORD -keyalg RSA -keysize 2048 -validity 10000
(In our test system we are used the one value for the signing and encryption password as
MY_SAML_KEY_PASSWORD)Restart the Abiquo API
Check that the API works and has started successfully by logging in to Abiquo with basic auth as
admin
...
Key | Description | Required | Role | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Sets the authentication module to use in the Abiquo Platform. | Yes |
| ||||||||||||
| Control the value of the SameSite flag of the login cookie. | No |
| ||||||||||||
| Required to start SAML and Abiquo Maximum time in seconds the system allows users to use SAML single sign-on after their initial authentication with the IDP. | Required to start SAML |
| ||||||||||||
| Indicates the SAML mode to use.
| No |
| ||||||||||||
| URI redirect for a successful Abiquo login using SAML SSO. | Yes |
| ||||||||||||
| URI redirect for an unsuccessful Abiquo login using SAML SSO. This has to be set to a query parameter, " | No |
| ||||||||||||
| Indicates if the SP metadata is provided or must be generated by the API.
| No |
| ||||||||||||
| Indicates the location of the SP metadata to load. | Only if |
| ||||||||||||
| Indicates the location of the IdP metadata to load. | Yes |
| ||||||||||||
| If | No |
| ||||||||||||
| Indicates the location of the Java keystore from which to extract the keys to sign and/or encrypt the SAML requests. | Yes |
| ||||||||||||
| The password to unlock the Java keystore from location indicated by | Yes |
| ||||||||||||
| The alias of the key to use for signing SAML Requests | Yes |
| ||||||||||||
| The password of the key to use for signing SAML Requests | Yes |
| ||||||||||||
| The alias of the key to use for encryption of SAML Requests | Yes |
| ||||||||||||
| The password of the key to use for encryption of SAML Requests | Yes |
| ||||||||||||
| Indicates if the SAML Requests must be signed. | No |
| ||||||||||||
| Indicates the binding profile to allow. | Yes |
| ||||||||||||
| Indicates which SAML Response attribute must identify a unique user; if not set up, the principal will be used. | No |
| ||||||||||||
| Indicates which SAML Response attribute must be read to find the role to assign to the user during a successful login. | Yes |
| ||||||||||||
| Indicates which SAML Response attributes must be read to find the enterprise to assign to the user during a successful login. Matches an enterprise name or an enterprise property key. | Yes |
| ||||||||||||
| Indicates which attribute must be read to find the user name. | No |
| ||||||||||||
| Indicates which attribute must be read to find the user last name. | No |
| ||||||||||||
| Indicates which attribute must be read in order to find the user email. | No |
| ||||||||||||
| Allow the use of multiple enterprises with the same enterprise claim property as a pool. Will assign the user to the first enterprise match. Only valid for | No |
| ||||||||||||
| Sets the default SAML IdP | Yes |
| ||||||||||||
| For multiple IdPs, map the user domains to the IdPs | Yes, for multiple IdPs |
|
...
For SAML, you can configure the following UI configuration properties in client-config-custom.json. See Configure Abiquo UI for more details.
Property | Description |
|---|---|
| Configure Abiquo modules to log in with
You can copy the options from |
| By default, when in |
...