OpenNebula now supports SAML authentication and has published examples for keycloak and okta, but not Authentik. I struggled a bit to get this working so I figured I’d publish my findings in hopes that someone else finds it useful.
Authentik Setup:
Log into Authentik and select Applications > Applications > Create with Provider
Give it a name, i named mine OpenNebula, which will auto fill in the slug field
enter the URL of your opennebula dashboard under UI settings > Launch URL
Select next to move on to the provider setup
select the SAML provider and select your flow of choice, i just used the default explicit consent option.
next set your ACS URL, this must match what is set in /etc/one/auth/saml_auth.conf under :acs_url:. mine ended up looking like :acs_url: ‘https://one.example.com/fireedge/api/auth/acs’
set an issuer id, i used opennebula-authentik
Service Provider Binding must be set to POST
select your signing certificate and enable signing assertions.
Select your Property mappings, I’m only using Authentik Default SAML Mapping: Username / Groups
the rest can be left as defaults, and that should cover the setup on the Authentik side, now on to OpenNebula. First you’ll need to enable SAML authentication by following the guide available from OpenNebula: https://docs.opennebula.io/7.0/product/cloud_system_administration/authentication_configuration/saml/
You can mostly follow the guide above, but i suggest backing up /etc/one/auth/saml_auth.conf and making a new file with the following:
:sp_entity_id: 'one.example.com'
:acs_url: 'https://one.example.com/fireedge/api/auth/acs'
:identity_providers:
:authentik_idp:
:issuer: 'opennebula'
:user_field: 'Username'
:group_field: 'Group'
:idp_cert: 'BogusexamplecertificateQQDDBJhdXRoZW50aWsgMjAyNS42LjQwHhcNMjUwODA1MjA1NDE4WhcNMjYwODA2MjA1NDE4WjBWMSowKAYDVQQDDCFhdXRoZW50aWsgU2VsZi1zaWduZWQgQ2VydGlmaWNhdGUxEjAQBgNVBAoMCWF1dGhlbnRpazEUMBIGA1UECwwLU2VsZi1zaWduZWQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC6AXYRCv/X0SPFhjHlNVIIRiCJYjciD+BYmvw9jbQbUF9mui65VEuWsM1Sm9d8/p4MPj8jRIV8gUmz0MzcGI8jNZe69Yx1xbw3ccN0ev5QXQdKfxkY9tRqRmjb0k4Y2TF9IbJkJ2d1C4HlfbHRz3XFlrHrg1wQor2wdLdrAIpaJ8ElLxYZayG5UmixojISMjCBlYFflfVT5z9Tt1woTpWGSJy+EUb9u/LyZA+9VrtB2VapubebXO6vu9uo0SC6La/DuuOWtmX/0Se523ebaEr1MUwPC+OQEshf9kxHVxxddk1jo9j8qesFJcUmJtNzm0NCKciBzzYwflwUE4yTmp+hxRAD3WzCKhiO4T4L3wgEGBp/id8ouiZ92quRcJTrojGEhzLVzEtc5N2tgDK+yCQQiknLwGHiwMn0dix/ZWLu/m7wTBvFAi9EpoSznb2XlWR8Tgxl1Is1mWPhirltuJjglJq7MEZLKKQe1Ke5aenUc6YukOI98oi2EIpH9h6WLxUsdREzF1FL+TCl4RIIfzdC1WkPSfyTfNK/xRk28cS1FVwpol0Qbif0Sgtrvami6HbBrkapu4oy/I4xAQW/DLDH84bI95VMx9WggWGdkv8ORiyiouE25rv8BSQfzvW6okxGLSdit37N5ZLXj2y7p71+V6cUeQgCA6f/WsQTey9TuwIDAQABo1UwUzBRBgNVHREBAf8ERzBFgkN0amNzTzhMY3JVQkl3NmNsTWZzTHlLWHhTREFWU3VzdWkwWXcwR3J4LnNlbGYtc2lnbmVkLmdvYXV0aGVudGlrLmlvMA0GCSqGSIb3DQEBCwUAA4ICAQBVVPLbEnV8XYyz9eYa5ODY6Fuy0b41r3y1JqyV+NdZdIsC5pmxcoIfwJksL7NppV8gCCyFbwvC8rK9wTVn+T1ZGYGdL2oNatV7uzeb+E2Jk/FHTCabgFBamvdKFI+iACrfoPtD1A5A81gh8CzOrOuAr0r1rPSjLsN39hNa+SNzYCRWHUWX3BhSMoVXWPfUeB+uQ/i+49cnEjCpyM/Ve51g/gwEOLJGHOTOinmVWn0jRIphrD2lgnmIQUA/D1Q9MAuXOiH2TYt0QG1lb4Or+SJb8/dsYElAlXclAJpT8UBbzWav/Zz+YLQIaUWfGZk1PcGtm9HyoVOBnixJcEQTnlBNJvpZP9A2wzMDOMuAiLAnTTg1PP/qHsgv07uNbqoHGDKNKeE3v57/VmwCzwcouH/pBlhCfuxWCDjtv743WVpIxvzLEKiJhyBRV/Bzxh//HjPBhzti03aEgKuFTq85mY12ggSIf4XUwvv0LTNBHS6y7zZ0t6d6ZhEMACvsrkMYr0u+vyhPPhoiws6aujziK69/HOYhd1TNbpmh5AEnUxd2hjLxakaLhr8sA7ygNPPg7AlQ0P+63D7gsmMvYq1s+yd40t17AG+kwb4Ge/emz8WaFP7Pu6pofFQwtAsvz7TyrMN9a4X8Z3S4yXpoxQz6fV/mDefinitelynotarealcertificate'
:mapping_generate: true
:mapping_key: 'SAML_GROUP'
:mapping_mode: 'strict'
:mapping_timeout: 300
:mapping_filename: 'authentik_groups.yaml'
:mapping_default: 1
:group_admin_name: 'ONE Admins'
The certificate can be found in Provider Metadata tab in Authentik between the <x509Certificate> tags
with all that now in place you can restart the opennebula service and migrate users to the new auth with the follwoing command in a terminal session on your OpenNebula control node:
oneuser chauth mbales saml