Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 7 Next »

Author: Alex Torras (Unlicensed)

1. Create SAML IdP

  1. Go to SecurityIdentity providers

  2. Select Add identity provider

  3. Select SAML 2.0 IdP and then Next

  4. In the Configure SAML 2.0 IdP section:

    1. Enter a Name

    2. In IdP username select idpuser.subjectNameId

    3. In IdP Issuer URI enter https://{$ENV_FQDN}:443/api/saml/metadata

    4. In IdP Single Sign-On URL enter https://{$ENV_FQDN}:443/api/saml/SSO

    5. In Destination enter https://{$ENV_FQDN}):443/api/saml/SSO

  5. Select Finish


2. Create SAML Application

  1. Go to ApplicationsApplications

  2. Select Create App Integration

  3. Select SAML 2.0 and then Next

  4. Enter an App name and select Next

  5. In the Configure SAML section:

    1. In Single sign-on URL, DO NOT uncheck the Use this for Recipient URL and Destination URL, and enter https://{$ENV_FQDN}:443/api/saml/SSO

    2. In Audience URI (SP Entity ID) enter https://{$ENV_FQDN}:443/api/saml/metadata

    3. In Attribute Statements enter one for each claim declared in abiquo.properties. Follow this table as an example:

Name

Name Format

Value

givenname

Unspecified

user.login

surname

Unspecified

user.lastName

emailaddress

Unspecified

user.email

name

Unspecified

user.firstName

abq-enterprise

Unspecified

user.department

abq-role

Unspecified

user.title

  1. Select Next and Finish.

  2. Download the Metadata details from the Sign On tab: open the URL, right click, and save as idp_metadata.xml.


3. Configure User claims

  1. Go to Directory People.

  2. Select the user you want to configure

  3. Select Assign Applications

  4. Select Assign on the SAML Application previously created

  5. Select Save and Go Back and Done

  6. Select Profile tab

  7. Select Edit and in attributes enter the following

    1. Username:  the givenname

    2. First Name: the name

    3. Last Name: the surname

    4. Primary email: the email

    5. Title: the abq-role (the external role configured in your environment)

    6. Department: the abq-enterprise (the enterprise you want the user to sign in in your environment)

  8. Select Save


4. Configure Abiquo

  1. Create the abq-enterprise that you want the user to sign in to.

  2. Create the role and for the External roles, enter the abq-role that you want to assign to the user.

  3. On the Abiquo Server, configure the abiquo.properties file :

abiquo.auth.module = saml

#SAML
abiquo.saml.mode = multi
abiquo.login.samesite = strict

# Mandatory property to control the maximum time in seconds that users can use
# SAML single sign-on after their initial authentication with the IDP.
# The default represents 24 days.
abiquo.saml.authentication.maxage = 2073600

abiquo.saml.redirect.endpoint = https://{$ENV_FQDN}/ui
abiquo.saml.redirect.error.endpoint = https://{$ENV_FQDN}/ui/?error

abiquo.saml.keys.keystore.path = /opt/abiquo/config/saml/Keystore.jks
abiquo.saml.keys.keystore.password = changeit
abiquo.saml.keys.signing.alias = Test
abiquo.saml.keys.signing.password = changeit
abiquo.saml.keys.encryption.alias = Test
abiquo.saml.keys.encryption.password = changeit
abiquo.saml.keys.metadata.sign = false

abiquo.saml.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect

abiquo.saml.metadata.mode = generated

abiquo.saml.metadata.identityprovider.default.id = http://www.okta.com/{$YOUR_ID}

# For >1 IDPs, add commas between XML paths
abiquo.saml.metadata.identityprovider.path = /opt/abiquo/config/saml/idp_metadata.xml

# For >1 IDPs, add commas between pairs of values
abiquo.saml.metadata.identityprovider.userdomain.map = https://trial-8804901.okta.com/app/{$YOUR_ID}/sso/saml/metadata


abiquo.saml.attributes.role.claim = abq-role
abiquo.saml.attributes.enterprise.claims = abq-enterprise
abiquo.saml.attributes.user.id.claim = name
abiquo.saml.attributes.user.firstname.claim = givenname
abiquo.saml.attributes.user.lastname.claim = surname
abiquo.saml.attributes.user.email.claim = emailaddress

  1. On the Abiquo Server, go to /opt/abiquo/config/saml (if this folder does not exist, then create it). Create a keystore.jks with the alias and password specified in the properties, for example: 

    keytool -genkeypair -v -keystore Keystore.jks -storepass changeit -alias Test -keypass changeit -keyalg RSA -keysize 2048 -validity 10000
  2. Upload the idp_metadata.xml file downloaded from the SAML application to the /opt/abiquo/config/saml folder.

  • No labels