Table of Contents |
---|
Author: Alex Torras (Unlicensed)
1. Create SAML IdP
Go to Security → Identity providers
Select Add identity provider
Select SAML 2.0 IdP and then Next
In the Configure SAML 2.0 IdP section:
Enter a Name
In IdP username select
idpuser.subjectNameId
In IdP Issuer URI enter
https://{$ENV_FQDN}:443/api/saml/metadata
In IdP Single Sign-On URL enter
https://{$ENV_FQDN}:443/api/saml/SSO
In Destination enter
https://{$ENV_FQDN}):443/api/saml/SSO
Select Finish
2. Create SAML Application
...
Go to Applications → Applications
...
Select Create App Integration
...
Select SAML 2.0 and then Next
...
Enter an App name and select Next
In the Configure SAML section:
...
Prepare Abiquo enterprise and role
Log in to your Abiquo and Go to the Users tab.
Create a new enterprise with the desired scope,i.e. ExternalEnterprise with Global Scope:
After the new enterprise is created go to the Roles tab and create a new role inside this enterprise, give it a name, and fill in External Roles with the name the users in Okta will have as their Title, i.e.: External_role:
Note: The role Name is Abiquo side only, so it does not matter that much. The external role is the value that will be checked against what comes from Okta in the abq-role attribute claim.
Save the new role, assign desired privileges to the role, and save the changes.
Set up Okta integration
1. Create an Application
Log in to Okta with Google account or email at: https://developer.okta.com/login or create a new account at: https://developer.okta.com/signup/ (Free developer edition)
Go to Applications→ Applications
Click Create App integration
Choose SAML 2.0 from the list and Next
Choose the Name, i.e Abiquo-test, Next
Set Single sign-on URL:
https://{$ENV_FQDN}:443/api/saml/SSO
...
i.e.:
https://aleksandra-cleandistr-server.lab.abiquo.com:443/api/saml/SSO
Set Audience URI (SP Entity ID)
...
:
https://{$ENV_FQDN}:443/api/saml/metadata
i.e.:https://aleksandra-cleandistr-server.lab.abiquo.com:443/api/saml/metadata
In
...
the Attribute Statements (optional) section add the following:
Name | Name Format | Value |
givenname | Unspecified |
|
surname | Unspecified |
|
emailaddress | Unspecified |
|
name | Unspecified |
|
abq-enterprise | Unspecified |
|
abq-role | Unspecified |
|
...
Select Next and Finish.
...
and click Next
Select any option for feedback and click Finish
In Settings→ Sign on methods, SAML 2.0 section of your application open the metadata link in the new tab, and save the page as
idp_metadata.xml
...
3. Configure User claims
Go to Directory → People.
Select the user you want to configure
Select Assign Applications
Select Assign on the SAML Application previously created
Select Save and Go Back and Done
Select Profile tab
Select Edit and in attributes enter the following
Username: the
givenname
First Name: the
name
Last Name: the
surname
Primary email: the
email
Title: the
abq-role
(the external role configured in your environment)Department: the
abq-enterprise
(the enterprise you want the user to sign in in your environment)
Select Save
4. Configure Abiquo
Create the
abq-enterprise
that you want the user to sign in to.Create the role and for the External roles, enter the
abq-role
that you want to assign to the user.On the Abiquo Server, configure the
abiquo.properties
file :
...
breakoutMode | wide |
---|
, do not close the tab yet
From the metadata page, note down the entityID value, i.e.:
http://www.okta.com/exkezXXXXXXXX45d7
we will use it later to configure Abiquo.Now you can close the tab.
Important: You cannot have a slash ‘/’ at the end!
Go to the SAML Signing Certificates section of your application and download the currently active certificate:
...
2. Create an Identity Provider
Go to Security→ Identity providers
Click ‘Add identity’ provider
Choose SAML 2.0 idP from the list and confirm
Set the Name to your idP, i.e. Abiquo
In the Authentication Settings set IdP username to
idpuser.subjectNameId
In the SAML Protocol Settings section set:
IdP Issuer URI enterhttps://{$ENV_FQDN}:443/api/saml/metadata
IdP Single Sign-On URL enterhttps://{$ENV_FQDN}:443/api/saml/SSO
Destination enterhttps://{$ENV_FQDN}):443/api/saml/SSO
As IdP Signature Certificate point to the certificate you downloaded from your application in step 12. and Finish
3. Assign the Application to the user
Go to the Directory menu-> People
Click on your user and in the Applications tab Assign Application
Click on the Assign link next to your application name and Save and Go back, Done
Go to the Profile tab of your user and Edit
In the Title enter the External role name of the new role you created in Abiquo system, i.e. External_role.
In the Department field enter the name of the Enterprise you created in Abiquo system, i.e. ExternalEnterprise
Save the Profile changes
4. Configure your Abiquo API server
On the Abiquo API server, go to
/opt/abiquo/config/saml
(if this folder does not exist, then create it). Create a keystore.jks with the alias and password specified in the properties, for example:
keytool -genkeypair -v -keystore keystore.jks -storepass changeit -alias Test -keypass changeit -keyalg RSA -keysize 2048 -validity 10000
Upload the
idp_metadata.xml
file downloaded from the SAML application in step 10. to the/opt/abiquo/config/saml
folder.Edit your
/opt/abiquo/config/abiquo.properties
and add the following configuration for Okta SAML, remember to change the respective values:
Code Block |
---|
abiquo.auth.module = saml #SAML abiquo.saml.mode = multi abiquo.login.samesite = strict # Mandatory property to control the maximum time in seconds that users can use # SAML single sign-on after their initial authentication with the IDP. # The default represents 24 days. abiquo.saml.authentication.maxage = 2073600 abiquo.saml.redirect.endpoint = https://{$ENV_FQDN}/ui abiquo.saml.redirect.error.endpoint = https://{$ENV_FQDN}/ui/?error abiquo.saml.keys.keystore.path = /opt/abiquo/config/saml/Keystorekeystore.jks abiquo.saml.keys.keystore.password = changeit abiquo.saml.keys.signing.alias = Test abiquo.saml.keys.signing.password = changeit abiquo.saml.keys.encryption.alias = Test abiquo.saml.keys.encryption.password = changeit abiquo.saml.keys.metadata.sign = false abiquo.saml.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect abiquo.saml.metadata.mode = generated # entityID from step 11. abiquo.saml.metadata.identityprovider.default.id = http://www.okta.com/{$YOUR_ID}xxxxXXXxxx # For >1 IDPs, add commas between XML paths abiquo.saml.metadata.identityprovider.path = /opt/abiquo/config/saml/idp_metadata.xml # For >1 IDPs, add commas between pairs of values # your application metadata link from step 10. abiquo.saml.metadata.identityprovider.userdomain.map = https://trialdev-8804901XXXXXXXXX.okta.com/app/{$YOUR_ID}xxxXXXxxx/sso/saml/metadata abiquo.saml.attributes.role.claim = abq-role abiquo.saml.attributes.enterprise.claims = abq-enterprise abiquo.saml.attributes.user.id.claim = namegivenname abiquo.saml.attributes.user.firstname.claim = givennamename abiquo.saml.attributes.user.lastname.claim = surname abiquo.saml.attributes.user.email.claim = emailaddress |
...
On the Abiquo Server, go to /opt/abiquo/config/saml
(if this folder does not exist, then create it). Create a keystore.jks
with the alias and password specified in the properties, for example:
Code Block |
---|
keytool -genkeypair -v -keystore Keystore.jks -storepass changeit -alias Test -keypass changeit -keyalg RSA -keysize 2048 -validity 10000 |
...
30. Edit /var/www/html/ui/config/client-config-custom.json
and add the following configuration to allow SAML login:
Code Block |
---|
"client.login.modules": [
{
"label": "Basic Auth",
"description": "Basic Auth login",
"templateUrl": "modules/login/authenticationmodules/basicauthentication/partials/basicauthenticationloginview.html",
"cookieName": ""
},
{
"label": "SAML",
"description": "SAML login",
"templateUrl": "modules/login/authenticationmodules/saml/partials/samlloginview.html",
"cookieName": "ABQSAMLTOKENS"
}
] |
31. Restart your abiquo-tomcat service