Author: Alex Torras (Unlicensed)
1. Create SAML IdP
Go to Security → Identity providers
Select Add identity provider
Select SAML 2.0 IdP and then Next
In the Configure SAML 2.0 IdP section:
Enter a Name
In IdP username select
idpuser.subjectNameId
In IdP Issuer URI enter
https://{$ENV_FQDN}:443/api/saml/metadata
In IdP Single Sign-On URL enter
https://{$ENV_FQDN}:443/api/saml/SSO
In Destination enter
https://{$ENV_FQDN}):443/api/saml/SSO
Select Finish
2. Create SAML Application
Go to Applications → Applications
Select Create App Integration
Select SAML 2.0 and then Next
Enter an App name and select Next
In the Configure SAML section:
In Single sign-on URL, DO NOT uncheck the Use this for Recipient URL and Destination URL, and enter
https://{$ENV_FQDN}:443/api/saml/SSO
In Audience URI (SP Entity ID) enter
https://{$ENV_FQDN}:443/api/saml/metadata
In Attribute Statements enter one for each claim declared in
abiquo.properties
. Follow this table as an example:
Name | Name Format | Value |
---|---|---|
givenname | Unspecified |
|
surname | Unspecified |
|
emailaddress | Unspecified |
|
name | Unspecified |
|
abq-enterprise | Unspecified |
|
abq-role | Unspecified |
|
Select Next and Finish.
Download the Metadata details from the Sign On tab: open the URL, right click, and save as
idp_metadata.xml
.
3. Configure User claims
Go to Directory → People.
Select the user you want to configure
Select Assign Applications
Select Assign on the SAML Application previously created
Select Save and Go Back and Done
Select Profile tab
Select Edit and in attributes enter the following
Username: the
givenname
First Name: the
name
Last Name: the
surname
Primary email: the
email
Title: the
abq-role
(the external role configured in your environment)Department: the
abq-enterprise
(the enterprise you want the user to sign in in your environment)
Select Save
4. Configure Abiquo
Create the
abq-enterprise
that you want the user to sign in to.Create the role and for the External roles, enter the
abq-role
that you want to assign to the user.On the Abiquo Server, configure the
abiquo.properties
file :
abiquo.auth.module = saml #SAML abiquo.saml.mode = multi abiquo.login.samesite = strict # Mandatory property to control the maximum time in seconds that users can use # SAML single sign-on after their initial authentication with the IDP. # The default represents 24 days. abiquo.saml.authentication.maxage = 2073600 abiquo.saml.redirect.endpoint = https://{$ENV_FQDN}/ui abiquo.saml.redirect.error.endpoint = https://{$ENV_FQDN}/ui/?error abiquo.saml.keys.keystore.path = /opt/abiquo/config/saml/Keystore.jks abiquo.saml.keys.keystore.password = changeit abiquo.saml.keys.signing.alias = Test abiquo.saml.keys.signing.password = changeit abiquo.saml.keys.encryption.alias = Test abiquo.saml.keys.encryption.password = changeit abiquo.saml.keys.metadata.sign = false abiquo.saml.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect abiquo.saml.metadata.mode = generated abiquo.saml.metadata.identityprovider.default.id = http://www.okta.com/exk9d01sp5zaicNUP697 # For >1 IDPs, add commas between XML paths abiquo.saml.metadata.identityprovider.path = /opt/abiquo/config/saml/idp_metadata.xml # For >1 IDPs, add commas between pairs of values abiquo.saml.metadata.identityprovider.userdomain.map = https://trial-8804901.okta.com/app/{$YOUR_ID}/sso/saml/metadata abiquo.saml.attributes.role.claim = abq-role abiquo.saml.attributes.enterprise.claims = abq-enterprise abiquo.saml.attributes.user.id.claim = name abiquo.saml.attributes.user.firstname.claim = givenname abiquo.saml.attributes.user.lastname.claim = surname abiquo.saml.attributes.user.email.claim = emailaddress
On the Abiquo Server, go to
/opt/abiquo/config/saml
(if this folder does not exist, then create it). Create akeystore.jks
with the alias and password specified in the properties, for example:keytool -genkeypair -v -keystore Keystore.jks -storepass changeit -alias Test -keypass changeit -keyalg RSA -keysize 2048 -validity 10000
Upload the
idp_metadata.xml
file downloaded from the SAML application to the/opt/abiquo/config/saml
folder.