SAML integration

 

This document describes how to configure the SAML integration to log in the platform with SAML SSO using SAML 2.0.
Please read all of this documentation before you start to configure your environment.

SAML authentication and login flow for Abiquo
SAML authentication and login flow for Abiquo

 

Configure your SAML identity provider

We assume that you are already using SAML and that you already have your own IdP configuration.

We provide some basic instructions to illustrate our example with IdP claims and to give a better picture of our SAML configuration.

  • Do not use these instructions to configure your production environment

  • We do not maintain these instructions

To configure Azure Active Directory as an IdP for Abiquo testing:

  1. Go to Azure portal (https://portal.azure.com)

  2. Create an Azure Active Directory

    1. For the Organization use Default Directory

    2. For the Domain use MY_ORG.onmicrosoft.com and replace MY_ORG with your organization name

  3. Switch to the directory and create an Application

    1. Go to Enterprise applications

    2. Click Create your own application

    3. Select the Integrate any other application you don't find in the gallery (Non-gallery) option

    4. For the Name enter samlidp and click Create. Then wait for it to complete.

  4. Go to Single sign-on, for the Authentication method, select SAML, and set the following values.

    1. Basic SAML Configuration: add Abiquo URLs to authorize it as a client that can use this SAML IDP.

      1. Identifier (Entity ID): https://ABIQUO_FQDN:443/api/saml/metadata
        Replace ABIQUO_FQDN with the domain name of your Abiquo server

      2. Reply URL (Assertion Consumer Service or ACS URL): https://ABIQUO_FQDN:443/api/saml/SSO
        Replace ABIQUO_FQDN with the domain name of your Abiquo server

      3. Sign on URL: Set an empty value

    2. SAML Claims: create and set the claims you want to retrieve from AAD users in Abiquo.
      For example:

      1. abq-enterprise: user.department

      2. abq-role: user.jobtitle

      3. user.userprincipalname

      4. user.givenname

      5. user.surname

      6. user.mail

    3. Go to the AAD organization main page and create SAML users.

      1. Name: This will set the username in Abiquo

      2. First Name

      3. Last Name

      4. Job title: This will set the user role in Abiquo, e.g., CLOUD_ADMIN_EXTERNAL

      5. Department: This will set the enterprise in Abiquo, e.g., Abiquo

    4. Add the users to the SAML IDP application we created before in order to authorize it to log in with SAML.

 


Create enterprises and roles for SAML

The first time a user logs in with SAML SSO, the Abiquo API will create the user’s account in the platform.

Before the user can log in, the administrator must create an Abiquo enterprise and role for the user and define their SAML attributes.

  1. Log in to Abiquo as cloud admin

  2. Go to Users

  3. Create enterprises with Names or Properties to match the value of a SAML attribute. From our example above, we will match the SAML Department attribute

    1. Enterprise Name: Abiquo

    2. OR if your enterprise names do not match SAML attributes, create or edit an enterprise, go to Properties and create a property to match.

      1. Edit an enterprise (for example, Name = My favorite enterprise)

      2. Create an Enterprise property

        1. Key: department

        2. Value: Abiquo

  4. Go to Roles

  5. Create roles with External roles to match the value of a SAML attribute. From our example above, we will match Job title:

    1. Role Name: CLOUD_ADMIN_EXTERNAL

    2. External roles: CLOUD_ADMIN_EXTERNAL

 


Configure SAML on Abiquo server

To configure SAML on the Abiquo server:

  1. Log in to the Abiquo server as the system administrator

  2. Create a folder to store the configuration

    mkdir /opt/abiquo/config/saml
  3. Download the federation metadata XML file for your configuration. This may be from a link like:
    https://login.microsoftonline.com/<TenantDomainName>/FederationMetadata/2007-06/FederationMetadata.xml
    See https://learn.microsoft.com/en-us/azure/active-directory/azuread-dev/azure-ad-federation-metadata#federation-metadata-endpoints

  4. Create a metadata file for the identity provider, for example, at /opt/abiquo/config/saml/idp_metadata.xml and edit this file.

  5. Open the metadata XML file, and copy the EntityDescriptor bracket with only the IDPSSODescriptor bracket inside it. Paste it in your metadata file for the entity provider.
    It should look something like this but with different values for your identity provider.

    <?xml version="1.0" encoding="utf-8"?> <EntityDescriptor ID="_d75abe92_blah" entityID="https://sts.windows.net/d123456-blah/" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"> <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> ... </IDPSSODescriptor> </EntityDescriptor>
    1. The entityID should be the value from your file. It may be something like this: https://sts.windows.net/d12345678-123e-49321-1234-1234abcd567890/

    2. The EntityDescriptor ID should also be the value from your file.

  6. Edit /var/www/html/ui/config/client-config-custom.json and add the following configuration to allow SAML login.

    "client.login.modules": [ { "label": "Basic Auth", "description": "Basic Auth login", "templateUrl": "modules/login/authenticationmodules/basicauthentication/partials/basicauthenticationloginview.html", "cookieName": "" }, { "label": "SAML", "description": "SAML login", "templateUrl": "modules/login/authenticationmodules/saml/partials/samlloginview.html", "cookieName": "ABQSAMLTOKENS" } ]

     

  7. Edit /opt/abiquo/config/abiquo.properties and configure the following properties.

     

    1. The #abiquo.saml.metadata.serviceprovider.path property should be commented out because first you can generate the metadata and later provide it with the file saved at this path

    2. Replace the following values with the values for your environment:

      1. ABIQUO_FQDN

      2. MY_SAML_KEYSTORE

      3. MY_SAML_KEYSTORE_PASSWORD

      4. MY_SAML_APP_NAME

      5. MY_SAML_KEY_PASSWORD

      6. MY_SAML_APP

      7. MY_SAML_KEY_PASSWORD

      8. MY_ENTITY_ID: you can get this from the Azure federation XML. It may be something like https://sts.windows.net/d12345678-123e-49321-1234-1234abcd567890/ 

  8. Create a keystore with the above keystore values.

    (In our test system we are used the one value for the signing and encryption password as MY_SAML_KEY_PASSWORD)

  9. Restart the Abiquo API

  10. Check that the API works and has started successfully by logging in to Abiquo with basic auth as admin

 


Configure Abiquo as the service provider

To configure Abiquo as a service provider, obtain the metadata, save it to a file, and then enable the use of provided data.

  1. Log in the Abiquo API server as an administrator

  2. Generate the SP metadata:

    Replace ADMIN_USER, ADMIN_PASSWORD, and ABIQUO_FQDN with values for your environment

  3. Save it to your SAML configuration folder

  4. Edit the abiquo.properties file and set the values as follows

  5. Restart the Abiquo API

  6. Check that the API works and has started successfully by logging in with SAML

    1. Username: USER_NAME@MY_ORG.onmicrosoft.com

 

Additional configuration

We recommend that you do these additional steps

  1. Add the metadata XML file to the IdP

  2. Disable basic authentication. To do this, set the abiquo.saml.mode property to single (or just delete it because single is the default value).

 


Configure custom login error messages for SAML

By default, when there is a login error, the UI displays a generic error view and the user can return to the main login screen.

Optionally, to display custom error messages, configure the redirect to add an error parameter.

On the Abiquo API Server, set the abiquo.saml.redirect.error.endpoint to point to your UI server and add an error code as follows:

Then for each error code, create a UI label with the error message text. For example, for US English, in lang_en_US_custom.json, you could create a label as follows:

For details of more customizations, see Customize UI login errors.


Configure a SAML enterprise pool

Optionally, if you will only be using a single identity provider, you can enable users to log in to an enterprise pool of enterprises with the same enterprise claim value.

The login process will select the first matching enterprise from the pool.

To configure this option, set the following property.

 


Add multiple identity providers for SAML

You can configure more than one identity provider for SAML. With the configuration, when the user enters their email address to log in, Abiquo will select the IdP based on its domain name, or it will use the default IdP. 

Abiquo still uses the same IdP configuration for all providers, for example, it will search for the same abq-role attribute to match an Abiquo role.

To configure an existing SAML integration with more IdPs, do these steps on the Abiquo Server:

  1. Save the metadata for the new IdPs, as for the first IdP

  2. For the default IdP, edit the metadata and set the Default attribute

  3. Edit the abiquo.properties file to make these changes:

    1. Add the paths to the metadata of the new IdPs as a comma separated list to the abiquo.saml.metadata.identityprovider.path property

    2. To set the default IdP, add the new abiquo.saml.metadata.identityprovider.default.id property

    3. To map the user email domains to IdPs, set the new abiquo.saml.metadata.identityprovider.userdomain.map property with a comma separated list of keys and values. For example:

      Do not use a comma , in a key or a value
      Do not use use an equals sign = in the key

  4. Share the Abiquo SP data with the new IdPs

  5. On the UI server, edit the client-config-custom.json file and change the client.login.module property from SAML to SAML + user.
    For more details, see the examples in client-config-default.json file.

For this feature, there is a new /saml/idp endpoint in the Abiquo API where the UI will send a GET request with the user domain. This endpoint will return a redirect to the usual /saml/login endpoint with the appropriate IdP. Then the login will continue as for a single IdP.

 

When you enable this feature, Abiquo will change the XML security metadata of the Abiquo application. Abiquo will add the beans for new IdPs and mark the default IdP in the metadata configuration of security-saml-generated-beans.xml and security-saml-provided-beans.xml.

  • Before you upgrade Abiquo, you must back up the security beans configuration.

  • After you upgrade Abiquo, when there is a new version of the security beans files, you must add the default IdP and the IdP beans again

 

 


About enterprise and role binding

The Abiquo API can get the user’s SAML attributes, select the correct role, and assign it to the user. This is called enterprise and role binding.

Here are some examples of how Abiquo can match SAML attributes for enterprises:

  • abiquo.saml.attributes.enterprise.claims = example

    • The API will get the value of the example attribute from the SAML Response. It will try to find an Abiquo enterprise with the same name. If it can't find an enterprise, it will look for an enterprise with an enterprise property key called example that has a property value that matches the SAML Response example attribute value.

  • abiquo.saml.attributes.enterprise.claims = organization,acc_id:account

    • The API will get the value of the organization and acc_id attributes from the SAML Response. It will try to find an enterprise with a name that matches one of these values. If it can't find an enterprise, it will search the enterprise properties. It will return the enterprise that has the property organization with the value from the SAML Response and acc_id property with the value of account from the SAML Response.

 


Table of Abiquo configuration properties for SAML

 

Key

Description

Required

Role

Key

Description

Required

Role

abiquo.auth.module

Sets the authentication module to use in the Abiquo Platform.
Accepts: abiquo, saml, openid, ldap

Yes

admin

abiquo.login.samesite 

Control the value of the SameSite flag of the login cookie.
See Abiquo configuration properties#samesite

No
Default: strict

admin

abiquo.saml.authentication.maxage

Required to start SAML and Abiquo

Maximum time in seconds the system allows users to use SAML single sign-on after their initial authentication with the IDP.

Required to start SAML
Default: 2073600

admin

abiquo.saml.mode

Indicates the SAML mode to use.
Accepts:

  • single: only SAML is allowed to authenticate users

  • multiple: SAML and Basic Auth are allowed to authenticate users.

No
Default: single

admin

abiquo.saml.redirect.endpoint

URI redirect for a successful Abiquo login using SAML SSO.
Accepts: any valid URI
Example: https://your.env.com/ui

Yes

admin

abiquo.saml.redirect.error.endpoint

URI redirect for an unsuccessful Abiquo login using SAML SSO. This has to be set to a query parameter, "?error", or a valid URI like the one from the example.
Accepts: any valid URI
Example: https://your.env.com/ui/?error=ERROR_CODE
See Configure UI login errors

No
Default: 
?error

admin

abiquo.saml.metadata.mode = provided



Indicates if the SP metadata is provided or must be generated by the API.
Accepts:

  • provided: use existing metadata defined with the following property: abiquo.saml.metadata.serviceprovider.path

  • generated: the API should generate the metadata. Requires the Abiquo Server to have an SP configuration

No
Default: generated

admin

abiquo.saml.metadata.serviceprovider.path

Indicates the location of the SP metadata to load.
Accepts: Any location path of the file to read

Only if abiquo.saml.metadata.mode
is set to provided

admin

abiquo.saml.metadata.identityprovider.path

Indicates the location of the IdP metadata to load.
Accepts: Any location path of the file to read. For multiple identity providers, use a comma separated list

Yes

admin

abiquo.saml.metadata.generator.bindingSSO

If abiquo.saml.metadata.mode is set to generated, this property will indicate which binding must be allowed.
Accepts: A comma-separated list with the binding names

No
Default: POST, Artifact

admin
saml admin

abiquo.saml.keys.keystore.path

Indicates the location of the Java keystore from which to extract the keys to sign and/or encrypt the SAML requests.
Accepts: Any location path of the file to read

Yes

admin

abiquo.saml.keys.keystore.password

The password to unlock the Java keystore from location indicated by abiquo.saml.keys.keystore.path property.

Yes

admin

abiquo.saml.keys.signing.alias

The alias of the key to use for signing SAML Requests
Accepts: any string

Yes

admin

abiquo.saml.keys.signing.password

The password of the key to use for signing SAML Requests
Accepts: any string

Yes

admin

abiquo.saml.keys.encryption.alias

The alias of the key to use for encryption of SAML Requests
Accepts: any string

Yes

admin

abiquo.saml.keys.encryption.password

The password of the key to use for encryption of SAML Requests

Yes

admin

abiquo.saml.keys.metadata.sign

Indicates if the SAML Requests must be signed.
Accepts: a boolean

No
Default: false

admin
saml admin

abiquo.saml.binding

Indicates the binding profile to allow.
Accepts: the SAML binding profile's URN

Yes

saml admin

abiquo.saml.attributes.user.id.claim

Indicates which SAML Response attribute must identify a unique user; if not set up, the principal will be used.
Accepts: any string

No

saml admin

abiquo.saml.attributes.role.claim

Indicates which SAML Response attribute must be read to find the role to assign to the user during a successful login.
Accepts: any string

Yes

saml admin

abiquo.saml.attributes.enterprise.claims

Indicates which SAML Response attributes must be read to find the enterprise to assign to the user during a successful login. Matches an enterprise name or an enterprise property key.
Accepts: a comma-separated list of the claim attributes, with an optional enterprise property key separated by a colon.
Pattern: <saml-attr1>:<ent-prop1>,<saml-attr2>:<ent-prop2>

Yes

saml admin

abiquo.saml.attributes.user.firstname.claim

Indicates which attribute must be read to find the user name.
Accepts: any string

No
Default: FirstName

saml admin

abiquo.saml.attributes.user.lastname.claim

Indicates which attribute must be read to find the user last name.
Accepts: any string

No
Default: LastName

saml admin

abiquo.saml.attributes.user.email.claim

Indicates which attribute must be read in order to find the user email.
Accepts: any string

No
Default: EmailAddress

saml admin

abiquo.saml.login.allow.enterprise.pool

Allow the use of multiple enterprises with the same enterprise claim property as a pool. Will assign the user to the first enterprise match. Only valid for SAML mode, not for SAML + user (multiple IDPs).
Accepts: boolean

No
Default: false

saml admin

abiquo.saml.metadata.identityprovider.default.id

Sets the default SAML IdP
Accepts: The entityID attribute of the default IdP from its metadata

Yes

abiquo admin

abiquo.saml.metadata.identityprovider.userdomain.map

For multiple IdPs, map the user domains to the IdPs
Accepts: Comma separated list of email address domains and IdPs

Yes, for multiple IdPs

abiquo admin

 


Table of UI properties for SAML

For SAML, you can configure the following UI configuration properties in client-config-custom.json. See Configure Abiquo UI for more details. 

Property

Description

Property

Description

client.login.modules

Configure Abiquo modules to log in with Basic Auth (default), Open ID, SAML, or SAML + user.

  • For the initial SAML configuration, use SAML

  • When you add multiple IdPs, use SAML + user

You can copy the options from client-config-default.json

client.skip.login.view

By default, when in OpenID or SAML mode, Abiquo displays an initial screen with a link to the Authentication portal.
If this property is set to truethen Abiquo will not display the initial screen and will redirect users directly to the Authentication portal.

 

Copyright © 2006-2024, Abiquo Holdings SL. All rights reserved