SAML integration

Abiquo provides an integration to log in the platform with SAML SSO using SAML 2.0. Please read ALL of this documentation before starting to configure your environment.

1 Configure enterprise and role binding
2 Enable SAML authentication mode
3 Configure login modules in the UI
4 Configure SameSite flag of login cookie
5 Configure the maximum authentication age
6 Configure SAML identity provider
7 Configure the Abiquo API as a SAML service provider
8 Optionally generate the service provider metadata
9 Provide the SP metadata to the service provider and the identity provider
10 Optionally configure custom login error messages for SAML
11 Optionally configure a SAML enterprise pool
12 Add multiple identity providers for SAML
13 Table of Abiquo configuration properties for SAML

Table of Abiquo configuration properties for SAML

Key	Description	Required	Role

Key	Description	Required	Role
abiquo.auth.module	Sets the authentication module to use in the Abiquo Platform. Accepts: abiquo, saml, openid, ldap	Yes	abiquo admin
abiquo.saml.authentication.maxage	New in Abiquo 6.0.0 Maximum time in seconds the system allows users to use SAML single sign-on after their initial authentication with the IDP.	Required to start SAML Default: 2073600	abiquo admin
abiquo.saml.mode	Indicates the SAML mode to use. Accepts: single: only SAML is allowed to authenticate users multiple: SAML and Basic Auth are allowed to authenticate users.	No Default: single	abiquo admin
abiquo.saml.redirect.endpoint	URI redirect for a successful Abiquo login using SAML SSO. Accepts: any valid URI Example: https://your.env.com/ui	Yes	abiquo admin
abiquo.saml.redirect.error.endpoint	URI redirect for an unsuccessful Abiquo login using SAML SSO. This has to be set to a queryparameter "?error" or a valid URI like the one from the example. Accepts: any valid URI Example: https://your.env.com/ui/?error=ERROR_CODE See Configure UI login errors	No Default: ?error	abiquo admin
abiquo.saml.metadata.mode = provided	Indicates if the SP metadata is provided or must be generated by the API. Accepts: provided: use existing metadata defined with the following property: abiquo.saml.metadata.serviceprovider.path generated: the API should generate the metadata. Requires the Abiquo Server to have an SP configuration	No Default: generated	abiquo admin
abiquo.saml.metadata.serviceprovider.path	Indicates the location of the SP metadata to load. Accepts: Any location path of the file to read	Only if abiquo.saml.metadata.mode is set to provided	abiquo admin
abiquo.saml.metadata.identityprovider.path	Indicates the location of the IdP metadata to load. Accepts: Any location path of the file to read. For multiple identity providers, use a comma separated list	Yes	abiquo admin
abiquo.saml.metadata.generator.bindingSSO	If abiquo.saml.metadata.mode is set to generated, this property will indicate which binding must be allowed. Accepts: A comma-separated list with the binding names	No Default: POST, Artifact	abiquo admin saml admin
abiquo.saml.keys.keystore.path	Indicates the location of the Java keystore from which to extract the keys to sign and/or encrypt the SAML requests. Accepts: Any location path of the file to read	Yes	abiquo admin
abiquo.saml.keys.keystore.password	The password to unlock the Java keystore from location indicated by abiquo.saml.keys.keystore.path property.	Yes	abiquo admin
abiquo.saml.keys.signing.alias	The alias of the key to use for signing SAML Requests Accepts: any string	Yes	abiquo admin
abiquo.saml.keys.signing.password	The password of the key to use for signing SAML Requests Accepts: any string	Yes	abiquo admin
abiquo.saml.keys.encryption.alias	The alias of the key to use for encryption of SAML Requests Accepts: any string	Yes	abiquo admin
abiquo.saml.keys.encryption.password	The password of the key to use for encryption of SAML Requests	Yes	abiquo admin
abiquo.saml.keys.metadata.sign	Indicates if the SAML Requests must be signed. Accepts: a boolean	No Default: false	abiquo admin saml admin
abiquo.saml.binding	Indicates the binding profile to allow. Accepts: the SAML binding profile's URN	Yes	saml admin
abiquo.saml.attributes.user.id.claim	Indicates which SAML Response attribute must identify a unique user; if not set up, the principal will be used. Accepts: any string	No	saml admin
abiquo.saml.attributes.role.claim	Indicates which SAML Response attribute must be read to find the role to assign to the user during a successful login. Accepts: any string	Yes	saml admin
abiquo.saml.attributes.enterprise.claims	Indicates which SAML Response attributes must be read to find the enterprise to assign to the user during a successful login. Matches an enterprise name or an enterprise property key. Accepts: a comma-separated list of the claim attributes, with an optional enterprise property key separated by a colon. Pattern: <saml-attr1>:<ent-prop1>,<saml-attr2>:<ent-prop2>	Yes	saml admin
abiquo.saml.attributes.user.firstname.claim	Indicates which attribute must be read to find the user name. Accepts: any string	No Default: FirstName	saml admin
abiquo.saml.attributes.user.lastname.claim	Indicates which attribute must be read to find the user last name. Accepts: any string	No Default: LastName	saml admin
abiquo.saml.attributes.user.email.claim	Indicates which attribute must be read in order to find the user email. Accepts: any string	No Default: EmailAddress	saml admin
abiquo.saml.login.allow.enterprise.pool	Allow the use of multiple enterprises with the same enterprise claim property as a pool. Will assign the user to the first enterprise match. Only valid for "SAML" mode, not for "SAML + user" (multiple IDPs). Accepts: boolean	No Default: false	saml admin
abiquo.saml.metadata.identityprovider.default.id	Sets the default SAML IdP Accepts: The entityID attribute of the default IdP from its metadata	Yes	abiquo admin
abiquo.saml.metadata.identityprovider.userdomain.map	For multiple IdPs, map the user domains to the IdPs Accepts: Comma separated list of email address domains and IdPs	Yes, for multiple IdPs	abiquo admin