See Gitlab page for product presentation.
Gitlab allows one to use SAML to authenticate users, see official documentation
For this example, we use these sample values:
Find the gitlab.rb file and add these settings:
vi /etc/gitlab/gitlab.rb
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
gitlab_rails['omniauth_auto_link_saml_user'] = true
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_providers'] = [
{
name: 'saml',
args: {
assertion_consumer_service_url: 'https://gitlab.example.com/users/auth/saml/callback',
idp_cert_fingerprint: '99:BE:7B:68:3F:XX:7D:EF:6B:C3:XX:C0:0E:XX:D4:EA:02:XX:83:2A',
idp_sso_target_url: 'https://auth.example.com/saml/singleSignOn',
issuer: 'https://gitlab.example.com',
name_identifier_format: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'
},
label: 'Login with LL::NG' # optional label for SAML login button
}
]
Tip
To get the fingerprint of IDP certificate, copy SAML certificate from LL::NG configuration in a file and use openssl:
openssl x509 -in CERT.pem -noout -fingerprint
You can force SAML by default with this option:
gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'saml'
In this case, users won’t be able to log directly on gitlab. Set it once you are sure the SAML configuration is valid.
To apply changes:
gitlab-ctl reconfigure
We suppose LL::NG is configured as SAML IDP, and that you converted the public key into a certificate for SAML signature. You must enable the option to send certificates in response. If you don’t want to, you need to copy the certificate value into Gitlab configuration, in `idp_cert` parameter.
You can get Gitlab SAML metadata on https://gitlab.example.com/users/auth/saml/metadata
Register them in LL::NG and send these SAML attributes:
Attention
The value from LL::NG mail session attribute must be the email of the user in Gitlab database, in order to associate accounts.
You can pass groups to Gitlab. For this, declare groups attribute in gitlab.rb:
...
gitlab_rails['omniauth_providers'] = [
{
name: 'saml',
groups_attribute: 'groups',
...
And in LL::NG, export the groups attribute:
Alternatively to SAML, you can choose to configure Gitlab to use OpenID Connect.
In /etc/gitlab/gitlab.rb
...
gitlab_rails['omniauth_allow_single_sign_on'] = ['openid_connect']
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_providers'] = [
{ 'name' => 'openid_connect',
'label' => 'LemonLDAP::NG',
'args' => {
'name' => 'openid_connect',
'issuer' => 'https://auth.example.com',
'scope' => ['openid', 'profile', 'email'],
'response_type' => 'code',
'client_auth_method' => 'client_secret_post',
'discovery' => true,
'uid_field' => 'sub',
'client_options' => {
'redirect_uri' => 'http://gitlab.example.com/users/auth/openid_connect/callback',
'identifier' => 'LEMONLDAP_CLIENT_ID',
'secret' => 'LEMONLDAP_CLIENT_SECRET',
}
}
}
];
...
Add an OpenID Connect RP to LemonLDAP::NG
gitlab.rb
file aboveOpenID Connect service
» Security
» Signing key ID
(use
something like default
as the value).email
claim.Attention
You need to set a key identifier, or you will get a JSON::JWK::Set::KidNotFound error on Gitlab