Abiquo OKTA for SAML

Owned by MS (Unlicensed)
Feb 04, 2024
2 min read

Author: @Alex Torras (Unlicensed)

1. Create SAML IdP

  1. Go to Security → Identity providers

  2. Select Add identity provider

  3. Select SAML 2.0 IdP and then Next

  4. In the Configure SAML 2.0 IdP section:

    1. Enter a Name

    2. In IdP username select idpuser.subjectNameId

    3. In IdP Issuer URI enter https://{$ENV_FQDN}:443/api/saml/metadata

    4. In IdP Single Sign-On URL enter https://{$ENV_FQDN}:443/api/saml/SSO

    5. In Destination enter https://{$ENV_FQDN}):443/api/saml/SSO

  5. Select Finish

 

 

2. Create SAML Application

  1. Go to Applications → Applications

  2. Select Create App Integration

  3. Select SAML 2.0 and then Next

  4. Enter an App name and select Next

  5. In the Configure SAML section:

    1. In Single sign-on URL, DO NOT uncheck the Use this for Recipient URL and Destination URL, and enter https://{$ENV_FQDN}:443/api/saml/SSO

    2. In Audience URI (SP Entity ID) enter https://{$ENV_FQDN}:443/api/saml/metadata

    3. In Attribute Statements enter one for each claim declared in abiquo.properties. Follow this table as an example:

Name

Name Format

Value

Name

Name Format

Value

givenname

Unspecified

user.login

surname

Unspecified

user.lastName

emailaddress

Unspecified

user.email

name

Unspecified

user.firstName

abq-enterprise

Unspecified

user.department

abq-role

Unspecified

user.title

 

  1. Select Next and Finish.

  2. Download the Metadata details from the Sign On tab: open the URL, right click, and save as idp_metadata.xml.

 

3. Configure User claims

  1. Go to Directory → People.

  2. Select the user you want to configure

  3. Select Assign Applications

  4. Select Assign on the SAML Application previously created

  5. Select Save and Go Back and Done

  6. Select Profile tab

  7. Select Edit and in attributes enter the following

    1. Username:  the givenname

    2. First Name: the name

    3. Last Name: the surname

    4. Primary email: the email

    5. Title: the abq-role (the external role configured in your environment)

    6. Department: the abq-enterprise (the enterprise you want the user to sign in in your environment)

  8. Select Save

 

4. Configure Abiquo

  1. Create the abq-enterprise that you want the user to sign in to.

  2. Create the role and for the External roles, enter the abq-role that you want to assign to the user.

  3. On the Abiquo Server, configure the abiquo.properties file :

abiquo.auth.module = saml #SAML abiquo.saml.mode = multi abiquo.login.samesite = strict # Mandatory property to control the maximum time in seconds that users can use # SAML single sign-on after their initial authentication with the IDP. # The default represents 24 days. abiquo.saml.authentication.maxage = 2073600 abiquo.saml.redirect.endpoint = https://{$ENV_FQDN}/ui abiquo.saml.redirect.error.endpoint = https://{$ENV_FQDN}/ui/?error abiquo.saml.keys.keystore.path = /opt/abiquo/config/saml/Keystore.jks abiquo.saml.keys.keystore.password = changeit abiquo.saml.keys.signing.alias = Test abiquo.saml.keys.signing.password = changeit abiquo.saml.keys.encryption.alias = Test abiquo.saml.keys.encryption.password = changeit abiquo.saml.keys.metadata.sign = false abiquo.saml.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect abiquo.saml.metadata.mode = generated abiquo.saml.metadata.identityprovider.default.id = http://www.okta.com/{$YOUR_ID} # For >1 IDPs, add commas between XML paths abiquo.saml.metadata.identityprovider.path = /opt/abiquo/config/saml/idp_metadata.xml # For >1 IDPs, add commas between pairs of values abiquo.saml.metadata.identityprovider.userdomain.map = https://trial-8804901.okta.com/app/{$YOUR_ID}/sso/saml/metadata abiquo.saml.attributes.role.claim = abq-role abiquo.saml.attributes.enterprise.claims = abq-enterprise abiquo.saml.attributes.user.id.claim = name abiquo.saml.attributes.user.firstname.claim = givenname abiquo.saml.attributes.user.lastname.claim = surname abiquo.saml.attributes.user.email.claim = emailaddress

 

  1. On the Abiquo Server, go to /opt/abiquo/config/saml (if this folder does not exist, then create it). Create a keystore.jks with the alias and password specified in the properties, for example: 

    keytool -genkeypair -v -keystore Keystore.jks -storepass changeit -alias Test -keypass changeit -keyalg RSA -keysize 2048 -validity 10000

  2. Upload the idp_metadata.xml file downloaded from the SAML application to the /opt/abiquo/config/saml folder.

 

Copyright © 2006-2024, Abiquo Holdings SL. All rights reserved