See Gitlab page for product presentation.
Gitlab allows one to use SAML to authenticate users, see official documentation
For this example, we use these sample values: * Gitlab URL : https://gitlab.example.com * LL::NG portal URL : https://auth.example.com
Find the gitlab.rb file and add these settings:
vi /etc/gitlab/gitlab.rb
gitlab_rails['omniauth_enabled'] = true gitlab_rails['omniauth_allow_single_sign_on'] = ['saml'] gitlab_rails['omniauth_auto_link_saml_user'] = true gitlab_rails['omniauth_block_auto_created_users'] = false gitlab_rails['omniauth_providers'] = [ { name: 'saml', args: { assertion_consumer_service_url: 'https://gitlab.example.com/users/auth/saml/callback', idp_cert_fingerprint: '99:BE:7B:68:3F:XX:7D:EF:6B:C3:XX:C0:0E:XX:D4:EA:02:XX:83:2A', idp_sso_target_url: 'https://auth.example.com/saml/singleSignOn', issuer: 'https://gitlab.example.com', name_identifier_format: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress' }, label: 'Login with LL::NG' # optional label for SAML login button } ]
openssl x509 -in CERT.pem -noout -fingerprint
You can force SAML by default with this option:
gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'saml'
In this case, users won't be able to log directly on gitlab. Set it once you are sure the SAML configuration is valid.
To apply changes:
gitlab-ctl reconfigure
We suppose LL::NG is configured as SAML IDP, and that you converted the public key into a certificate for SAML signature. You must enable the option to send certificates in response. If you don't want to, you need to copy the certificate value into Gitlab configuration, in `idp_cert` parameter.
You can get Gitlab SAML metadata on https://gitlab.example.com/users/auth/saml/metadata
Register them in LL::NG and send these SAML attributes:
You can pass groups to Gitlab. For this, declare groups attribute in gitlab.rb:
... gitlab_rails['omniauth_providers'] = [ { name: 'saml', groups_attribute: 'groups', ...
And in LL::NG, export the groups attribute: