When you add a default IdP and multiple identity providers (IdPs) for SAML, the platform will automatically add the appropriate security beans configuration from your Abiquo properties.
However, during future updates to the platform, there may be other changes to security beans.
In this case, you will need to restore the security beans for the additional IdPs.
Upgrade steps for SAML with default and multiple IdP
To incorporate any changes, when you upgrade Abiquo, do these steps:
Before the upgrade go to your SAML configuration at:
/opt/abiquo/tomcat/webapps/api/WEB-INF/classes/springresources/security/saml
and back up the following security beans files:- security-saml-generated-beans.xml
- security-saml-provided-beans.xml
- After the upgrade, you may find new files with the extension of ".rpmnew"
- Move any old files and rename the new files to the original file names
- Edit the new files and make the changes as described below.
SAML security beans and default IDP configuration
To add the SAML security beans for your IdP providers and set the defaultIDP property in the metadata attribute:
Do not copy the example below! Modify the configuration files for the current version of your software.
Create the defaultIDP property after the constructor arg
<property name="defaultIDP" value="${abiquo.saml.metadata.identityprovider.default.id}"/>Add beans for each IdP to the list in the constructor that starts with 0. For example here we added a reference to bean "ipdMetadataDelegate1"
<constructor-arg> <list> <ref bean="ipdMetadataDelegate"/> <ref bean="ipdMetadataDelegate2"/>Copy the first bean and modify it to create a second bean.
Change the bean ID to match the IdP ID from the list above
<bean id="ipdMetadataDelegate2"
In the value, set the item to get the IdP path from the IdP list in the abiquo.properties file. For our example, add a "1" .
<bean class="org.opensaml.util.resource.FilesystemResource"> <constructor-arg value="#{'${abiquo.saml.metadata.identityprovider.path}'.split(',')[1]}" />From the IdP list property, this will get the second value after a comma.
Example of IdP metadata from Abiquo 5.2.1
This example is a guide to the configuration of SAML IdPs. It shows multiple IdPs.
Remember that you must use any file added to your system as part of the upgrade. Do not copy this file!
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd">
<!-- IPD and SP metadata definition -->
<bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
<constructor-arg>
<list>
<ref bean="spMetadataDelegate"/>
<ref bean="ipdMetadataDelegate"/>
<ref bean="ipdMetadataDelegate2"/>
</list>
</constructor-arg>
<property name="defaultIDP" value="${abiquo.saml.metadata.identityprovider.default.id}"/>
</bean>
<bean id="spMetadataDelegate" class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
<constructor-arg>
<bean class="org.opensaml.saml2.metadata.provider.ResourceBackedMetadataProvider">
<constructor-arg>
<bean class="java.util.Timer"/>
</constructor-arg>
<constructor-arg>
<bean class="org.opensaml.util.resource.FilesystemResource">
<constructor-arg value="${abiquo.saml.metadata.serviceprovider.path}" />
</bean>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
<property name="local" value="true"/>
<property name="securityProfile" value="metaiop"/>
<property name="sslSecurityProfile" value="pkix"/>
<property name="signMetadata" value="${abiquo.saml.keys.metadata.sign:false}"/>
<property name="signingKey" value="${abiquo.saml.keys.signing.alias}"/>
<property name="encryptionKey" value="${abiquo.saml.keys.encryption.alias}"/>
<property name="requireArtifactResolveSigned" value="false"/>
<property name="requireLogoutRequestSigned" value="false"/>
<property name="requireLogoutResponseSigned" value="false"/>
</bean>
</constructor-arg>
</bean>
<bean id="ipdMetadataDelegate" class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
<constructor-arg>
<bean class="org.opensaml.saml2.metadata.provider.ResourceBackedMetadataProvider">
<constructor-arg>
<bean class="java.util.Timer"/>
</constructor-arg>
<constructor-arg>
<bean class="org.opensaml.util.resource.FilesystemResource">
<constructor-arg value="#{'${abiquo.saml.metadata.identityprovider.path}'.split(',')[0]}" />
</bean>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
</constructor-arg>
</bean>
<bean id="ipdMetadataDelegate2" class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
<constructor-arg>
<bean class="org.opensaml.saml2.metadata.provider.ResourceBackedMetadataProvider">
<constructor-arg>
<bean class="java.util.Timer"/>
</constructor-arg>
<constructor-arg>
<bean class="org.opensaml.util.resource.FilesystemResource">
<constructor-arg value="#{'${abiquo.saml.metadata.identityprovider.path}'.split(',')[1]}" />
</bean>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
</constructor-arg>
</bean>
</beans>