2018-03-08 13:29:31 +01:00
<!DOCTYPE html>
< html lang = "en" dir = "ltr" >
< head >
< meta charset = "utf-8" / >
< title > documentation:2.0:applications:gitlab< / title >
< meta name = "generator" content = "DokuWiki" / >
2018-03-15 20:22:15 +01:00
< meta name = "robots" content = "index,follow" / >
2018-03-08 13:29:31 +01:00
< meta name = "keywords" content = "documentation,2.0,applications,gitlab" / >
< link rel = "search" type = "application/opensearchdescription+xml" href = "../lib/exe/opensearch.html" title = "LemonLDAP::NG" / >
< link rel = "start" href = "gitlab.html" / >
< link rel = "contents" href = "gitlab.html" title = "Sitemap" / >
< link rel = "stylesheet" type = "text/css" href = "../lib/exe/css.php.t.bootstrap3.css" / >
<!-- //if:usedebianlibs
< link rel = "stylesheet" type = "text/css" href = "/javascript/bootstrap/css/bootstrap.min.css" / >
//elsif:useexternallibs
< link rel = "stylesheet" type = "text/css" href = "https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css" > < / script >
//elsif:cssminified
< link rel = "stylesheet" type = "text/css" href = "/static/bwr/bootstrap/dist/css/bootstrap.min.css" / >
//else -->
< link rel = "stylesheet" type = "text/css" href = "/static/bwr/bootstrap/dist/css/bootstrap.css" / >
<!-- //endif -->
< script type = "text/javascript" > / * < ! [ C D A T A [ * / v a r N S = ' d o c u m e n t a t i o n : 2 . 0 : a p p l i c a t i o n s ' ; v a r J S I N F O = { " i d " : " d o c u m e n t a t i o n : 2 . 0 : a p p l i c a t i o n s : g i t l a b " , " n a m e s p a c e " : " d o c u m e n t a t i o n : 2 . 0 : a p p l i c a t i o n s " } ;
/*!]]>*/< / script >
< script type = "text/javascript" charset = "utf-8" src = "../lib/exe/js.php.t.bootstrap3.js" > < / script >
<!-- //if:usedebianlibs
< script type = "text/javascript" src = "/javascript/jquery/jquery.min.js" > < / script >
//elsif:useexternallibs
< script type = "text/javascript" src = "http://code.jquery.com/jquery-2.2.0.min.js" > < / script >
//elsif:jsminified
< script type = "text/javascript" src = "/static/bwr/jquery/dist/jquery.min.js" > < / script >
//else -->
< script type = "text/javascript" src = "/static/bwr/jquery/dist/jquery.js" > < / script >
<!-- //endif -->
<!-- //if:usedebianlibs
< script type = "text/javascript" src = "/javascript/jquery-ui/jquery-ui.min.js" > < / script >
//elsif:useexternallibs
< script type = "text/javascript" src = "http://code.jquery.com/ui/1.10.4/jquery-ui.min.js" > < / script >
//elsif:jsminified
< script type = "text/javascript" src = "/static/bwr/jquery-ui/jquery-ui.min.js" > < / script >
//else -->
< script type = "text/javascript" src = "/static/bwr/jquery-ui/jquery-ui.js" > < / script >
<!-- //endif -->
< / head >
< body >
< div class = "dokuwiki export container" >
<!-- TOC START -->
< div id = "dw__toc" >
< h3 class = "toggle" > Table of Contents< / h3 >
< div >
< ul class = "toc" >
< li class = "level1" > < div class = "li" > < a href = "#presentation" > Presentation< / a > < / div > < / li >
< li class = "level1" > < div class = "li" > < a href = "#saml" > SAML< / a > < / div >
< ul class = "toc" >
< li class = "level2" > < div class = "li" > < a href = "#gitlab_configuration" > Gitlab configuration< / a > < / div > < / li >
< li class = "level2" > < div class = "li" > < a href = "#llng_configuration" > LL::NG configuration< / a > < / div > < / li >
< li class = "level2" > < div class = "li" > < a href = "#manage_groups" > Manage groups< / a > < / div > < / li >
< / ul > < / li >
< / ul >
< / div >
< / div >
<!-- TOC END -->
< h1 class = "sectionedit1" id = "gitlab" > Gitlab< / h1 >
< div class = "level1" >
< p >
< img src = "gitlab_logo.png" class = "mediacenter" alt = "" / >
< / p >
< / div >
<!-- EDIT1 SECTION "Gitlab" [1 - 67] -->
< h2 class = "sectionedit2" id = "presentation" > Presentation< / h2 >
< div class = "level2" >
< p >
See < a href = "https://about.gitlab.com/" class = "urlextern" title = "https://about.gitlab.com/" rel = "nofollow" > Gitlab< / a > page for product presentation.
< / p >
< p >
2018-04-17 10:33:26 +02:00
Gitlab allows one to use < abbr title = "Security Assertion Markup Language" > SAML< / abbr > to authenticate users, see < a href = "https://docs.gitlab.com/ee/integration/saml.html" class = "urlextern" title = "https://docs.gitlab.com/ee/integration/saml.html" rel = "nofollow" > official documentation< / a >
2018-03-08 13:29:31 +01:00
< / p >
< / div >
2018-04-17 10:33:26 +02:00
<!-- EDIT2 SECTION "Presentation" [68 - 300] -->
2018-03-08 13:29:31 +01:00
< h2 class = "sectionedit3" id = "saml" > SAML< / h2 >
< div class = "level2" >
< p >
For this example, we use these sample values:
* Gitlab < abbr title = "Uniform Resource Locator" > URL< / abbr > : < a href = "https://gitlab.example.com" class = "urlextern" title = "https://gitlab.example.com" rel = "nofollow" > https://gitlab.example.com< / a >
* < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > portal < abbr title = "Uniform Resource Locator" > URL< / abbr > : < a href = "https://auth.example.com" class = "urlextern" title = "https://auth.example.com" rel = "nofollow" > https://auth.example.com< / a >
< / p >
< / div >
2018-04-17 10:33:26 +02:00
<!-- EDIT3 SECTION "SAML" [301 - 456] -->
2018-03-08 13:29:31 +01:00
< h3 class = "sectionedit4" id = "gitlab_configuration" > Gitlab configuration< / h3 >
< div class = "level3" >
< p >
Find the gitlab.rb file and add these settings:
< / p >
< pre class = "code" > vi /etc/gitlab/gitlab.rb< / pre >
< pre class = "code file ruby" > gitlab_rails< span class = "br0" > [ < / span > < span class = "st0" > 'omniauth_enabled'< / span > < span class = "br0" > ] < / span > = < span class = "kw2" > true< / span >
gitlab_rails< span class = "br0" > [ < / span > < span class = "st0" > 'omniauth_allow_single_sign_on'< / span > < span class = "br0" > ] < / span > = < span class = "br0" > [ < / span > < span class = "st0" > 'saml'< / span > < span class = "br0" > ] < / span >
gitlab_rails< span class = "br0" > [ < / span > < span class = "st0" > 'omniauth_auto_link_saml_user'< / span > < span class = "br0" > ] < / span > = < span class = "kw2" > true< / span >
gitlab_rails< span class = "br0" > [ < / span > < span class = "st0" > 'omniauth_block_auto_created_users'< / span > < span class = "br0" > ] < / span > = < span class = "kw2" > false< / span >
gitlab_rails< span class = "br0" > [ < / span > < span class = "st0" > 'omniauth_providers'< / span > < span class = "br0" > ] < / span > = < span class = "br0" > [ < / span >
< span class = "br0" > { < / span >
name: < span class = "st0" > 'saml'< / span > ,
args: < span class = "br0" > { < / span >
assertion_consumer_service_url: < span class = "st0" > 'https://gitlab.example.com/users/auth/saml/callback'< / span > ,
idp_cert_fingerprint: < span class = "st0" > '99:BE:7B:68:3F:XX:7D:EF:6B:C3:XX:C0:0E:XX:D4:EA:02:XX:83:2A'< / span > ,
idp_sso_target_url: < span class = "st0" > 'https://auth.example.com/saml/singleSignOn'< / span > ,
issuer: < span class = "st0" > 'https://gitlab.example.com'< / span > ,
name_identifier_format: < span class = "st0" > 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'< / span >
< span class = "br0" > } < / span > ,
label: < span class = "st0" > 'Login with LL::NG'< / span > < span class = "co1" > # optional label for SAML login button< / span >
< span class = "br0" > } < / span >
< span class = "br0" > ] < / span > < / pre >
< div class = "notetip" > To get the fingerprint of IDP certificate, copy < abbr title = "Security Assertion Markup Language" > SAML< / abbr > certificate from < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > configuration in a file and use openssl:
< pre class = "code" > openssl x509 -in CERT.pem -noout -fingerprint< / pre >
< / div >
< p >
You can force < abbr title = "Security Assertion Markup Language" > SAML< / abbr > by default with this option:
< / p >
< pre class = "code file ruby" > gitlab_rails< span class = "br0" > [ < / span > < span class = "st0" > 'omniauth_auto_sign_in_with_provider'< / span > < span class = "br0" > ] < / span > = < span class = "st0" > 'saml'< / span > < / pre >
< p >
In this case, users won' t be able to log directly on gitlab. Set it once you are sure the < abbr title = "Security Assertion Markup Language" > SAML< / abbr > configuration is valid.
< / p >
< p >
To apply changes:
< / p >
< pre class = "code" > gitlab-ctl reconfigure< / pre >
< / div >
2018-04-17 10:33:26 +02:00
<!-- EDIT4 SECTION "Gitlab configuration" [457 - 1849] -->
2018-03-08 13:29:31 +01:00
< h3 class = "sectionedit5" id = "llng_configuration" > LL::NG configuration< / h3 >
< div class = "level3" >
< p >
We suppose < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > is configured as < abbr title = "Security Assertion Markup Language" > SAML< / abbr > IDP, and that you converted the public key into a certificate for < abbr title = "Security Assertion Markup Language" > SAML< / abbr > signature. You must enable the option to send certificates in response. If you don' t want to, you need to copy the certificate value into Gitlab configuration, in `idp_cert` parameter.
< / p >
< p >
You can get Gitlab < abbr title = "Security Assertion Markup Language" > SAML< / abbr > metadata on < a href = "https://gitlab.example.com/users/auth/saml/metadata" class = "urlextern" title = "https://gitlab.example.com/users/auth/saml/metadata" rel = "nofollow" > https://gitlab.example.com/users/auth/saml/metadata< / a >
< / p >
< p >
Register them in < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > and send these < abbr title = "Security Assertion Markup Language" > SAML< / abbr > attributes:
< / p >
< ul >
< li class = "level1" > < div class = "li" > mail ⇒ email< / div >
< / li >
< li class = "level1" > < div class = "li" > uid ⇒ uid< / div >
< / li >
< li class = "level1" > < div class = "li" > cn ⇒ name< / div >
< / li >
< / ul >
< div class = "noteimportant" > The value from < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > mail session attribute must be the email of the user in Gitlab database, in order to associate accounts.
< / div >
< / div >
2018-04-17 10:33:26 +02:00
<!-- EDIT5 SECTION "LL::NG configuration" [1850 - 2524] -->
2018-03-08 13:29:31 +01:00
< h3 class = "sectionedit6" id = "manage_groups" > Manage groups< / h3 >
< div class = "level3" >
< p >
You can pass groups to Gitlab. For this, declare groups attribute in gitlab.rb:
< / p >
< pre class = "code file ruby" > ...
< span class = "me1" > gitlab_rails< / span > < span class = "br0" > [ < / span > < span class = "st0" > 'omniauth_providers'< / span > < span class = "br0" > ] < / span > = < span class = "br0" > [ < / span >
< span class = "br0" > { < / span >
name: < span class = "st0" > 'saml'< / span > ,
groups_attribute: < span class = "st0" > 'groups'< / span > ,
...< / pre >
< p >
And in < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > , export the groups attribute:
< / p >
< ul >
< li class = "level1" > < div class = "li" > groups ⇒ groups< / div >
< / li >
< / ul >
< / div >
2018-04-17 10:33:26 +02:00
<!-- EDIT6 SECTION "Manage groups" [2525 - ] --> < / div >
2018-03-08 13:29:31 +01:00
< / body >
< / html >