See Gitlab page for product presentation.
Gitlab allows one to use SAML to authenticate users, see official documentation
For this example, we use these sample values:
Find the gitlab.rb file and add these settings:
vi /etc/gitlab/gitlab.rb
gitlab_rails['omniauth_enabled'] = true gitlab_rails['omniauth_allow_single_sign_on'] = ['saml'] gitlab_rails['omniauth_auto_link_saml_user'] = true gitlab_rails['omniauth_block_auto_created_users'] = false gitlab_rails['omniauth_providers'] = [ { name: 'saml', args: { assertion_consumer_service_url: 'https://gitlab.example.com/users/auth/saml/callback', idp_cert_fingerprint: '99:BE:7B:68:3F:XX:7D:EF:6B:C3:XX:C0:0E:XX:D4:EA:02:XX:83:2A', idp_sso_target_url: 'https://auth.example.com/saml/singleSignOn', issuer: 'https://gitlab.example.com', name_identifier_format: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress' }, label: 'Login with LL::NG' # optional label for SAML login button } ]
openssl x509 -in CERT.pem -noout -fingerprint
You can force SAML by default with this option:
gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'saml'
In this case, users won't be able to log directly on gitlab. Set it once you are sure the SAML configuration is valid.
To apply changes:
gitlab-ctl reconfigure
We suppose LL::NG is configured as SAML IDP, and that you converted the public key into a certificate for SAML signature. You must enable the option to send certificates in response. If you don't want to, you need to copy the certificate value into Gitlab configuration, in `idp_cert` parameter.
You can get Gitlab SAML metadata on https://gitlab.example.com/users/auth/saml/metadata
Register them in LL::NG and send these SAML attributes:
You can pass groups to Gitlab. For this, declare groups attribute in gitlab.rb:
... gitlab_rails['omniauth_providers'] = [ { name: 'saml', groups_attribute: 'groups', ...
And in LL::NG, export the groups attribute:
Alternatively to SAML, you can choose to configure Gitlab to use OpenID Connect.
In /etc/gitlab/gitlab.rb
... gitlab_rails['omniauth_allow_single_sign_on'] = ['openid_connect'] gitlab_rails['omniauth_block_auto_created_users'] = false gitlab_rails['omniauth_providers'] = [ { 'name' => 'openid_connect', 'label' => 'LemonLDAP::NG', 'args' => { 'name' => 'openid_connect', 'issuer' => 'https://auth.example.com', 'scope' => ['openid', 'profile', 'email'], 'response_type' => 'code', 'client_auth_method' => 'client_secret_post', 'discovery' => true, 'uid_field' => 'sub', 'client_options' => { 'redirect_uri' => 'http://gitlab.example.com/users/auth/openid_connect/callback', 'identifier' => 'LEMONLDAP_CLIENT_ID', 'secret' => 'LEMONLDAP_CLIENT_SECRET', } } } ]; ...
Add an OpenID Connect RP to LemonLDAP::NG
gitlab.rb
file aboveOpenID Connect service
» Security
» Signing key ID
(use something like default
as the value). email
claim.