Gitlab

Presentation

See Gitlab page for product presentation.

Gitlab allows one to use SAML to authenticate users, see official documentation

SAML

For this example, we use these sample values: * Gitlab URL : https://gitlab.example.com * LL::NG portal URL : https://auth.example.com

Gitlab configuration

Find the gitlab.rb file and add these settings:

vi /etc/gitlab/gitlab.rb
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
gitlab_rails['omniauth_auto_link_saml_user'] = true
gitlab_rails['omniauth_block_auto_created_users'] = false
 
gitlab_rails['omniauth_providers'] = [
  {
    name: 'saml',
    args: {
      assertion_consumer_service_url: 'https://gitlab.example.com/users/auth/saml/callback',
      idp_cert_fingerprint: '99:BE:7B:68:3F:XX:7D:EF:6B:C3:XX:C0:0E:XX:D4:EA:02:XX:83:2A',
      idp_sso_target_url: 'https://auth.example.com/saml/singleSignOn',
      issuer: 'https://gitlab.example.com',
      name_identifier_format: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'
    },
    label: 'Login with LL::NG' # optional label for SAML login button
  }
]
To get the fingerprint of IDP certificate, copy SAML certificate from LL::NG configuration in a file and use openssl:
openssl x509 -in CERT.pem -noout -fingerprint

You can force SAML by default with this option:

gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'saml'

In this case, users won't be able to log directly on gitlab. Set it once you are sure the SAML configuration is valid.

To apply changes:

gitlab-ctl reconfigure

LL::NG configuration

We suppose LL::NG is configured as SAML IDP, and that you converted the public key into a certificate for SAML signature. You must enable the option to send certificates in response. If you don't want to, you need to copy the certificate value into Gitlab configuration, in `idp_cert` parameter.

You can get Gitlab SAML metadata on https://gitlab.example.com/users/auth/saml/metadata

Register them in LL::NG and send these SAML attributes:

  • mail ⇒ email
  • uid ⇒ uid
  • cn ⇒ name
The value from LL::NG mail session attribute must be the email of the user in Gitlab database, in order to associate accounts.

Manage groups

You can pass groups to Gitlab. For this, declare groups attribute in gitlab.rb:

...
gitlab_rails['omniauth_providers'] = [
  {
    name: 'saml',
    groups_attribute: 'groups',
...

And in LL::NG, export the groups attribute:

  • groups ⇒ groups