...
In this version, Abiquo will use the same IdP configuration for all providers, for example, it will search for the same abq-role attribute to match an Abiquo role.
To configure an existing SAML integration with more IdPs, do these steps on the Abiquo Server:
Save the metadata for the new IdPs, as for the first IdP
For the default IdP, edit the metadata and set the Default attribute
Edit the
abiquo.propertiesfile to make these changes:Add the paths to the metadata of the new IdPs as a comma separated list to the
abiquo.saml.metadata.identityprovider.pathpropertyTo set the default IdP, add the new
abiquo.saml.metadata.identityprovider.default.idpropertyTo map the user email domains to IdPs, set the new
abiquo.saml.metadata.identityprovider.userdomain.mapproperty with a comma separated list of keys and values. For example:Code Block abiquo.saml.metadata.identityprovider.userdomain.map = example.com=https://sts.example.com/ffff2108-833e-4940-87e6-3d39ce9adb70/,abiquo.com=https://idp.example.com
...
Do not use a comma
...
,
...
in a key or a value
...
- Do not use use an equals sign
...
=
...
in the key
Share the Abiquo SP data with the new IdPs
On the UI server, edit the
client-config-custom.jsonfile and change theclient.login.moduleproperty from
...
SAML
...
to
...
SAML + user
...
.
For more details, see the examples inclient-config-default.jsonfile.
For this feature, there is a new /saml/idp endpoint idp endpoint in the Abiquo API where the UI will send a GET request with the user domain. This endpoint will return a redirect to the usual /saml/login endpoint with the appropriate IdP. Then the login will continue as for a single IdP.
| Note |
|---|
When you enable this feature, Abiquo will change the XML security metadata of the Abiquo application. It will add the beans for new IdPs and mark the default IdP in the metadata configuration of “security
|