dani/lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
b855f175bc
lemonldap-ng/doc/pages/documentation/current/applications/gitlab.html
Xavier 39c968b215 Update doc
2019-09-23 22:41:16 +02:00

267 lines
14 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
<meta charset="utf-8" />
<title>documentation:2.0:applications:gitlab</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,applications,gitlab"/>
<link rel="search" type="application/opensearchdescription+xml" href="../lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="gitlab.html"/>
<link rel="contents" href="gitlab.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="../lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0:applications';var JSINFO = {"id":"documentation:2.0:applications:gitlab","namespace":"documentation:2.0:applications"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="../lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
<!-- //endif -->
</head>
<body>
<div class="dokuwiki export container">
<!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>
<ul class="toc">
<li class="level1"><div class="li"><a href="#presentation">Presentation</a></div></li>
<li class="level1"><div class="li"><a href="#saml">SAML</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#gitlab_configuration">Gitlab configuration</a></div></li>
<li class="level2"><div class="li"><a href="#llng_configuration">LL::NG configuration</a></div></li>
<li class="level2"><div class="li"><a href="#manage_groups">Manage groups</a></div></li>
</ul>
</li>
<li class="level1"><div class="li"><a href="#openid_connect">OpenID Connect</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#gitlab_configuration1">Gitlab configuration</a></div></li>
<li class="level2"><div class="li"><a href="#llng_configuration1">LL::NG configuration</a></div></li>
</ul></li>
</ul>
</div>
</div>
<!-- TOC END -->
<h1 class="sectionedit1" id="gitlab">Gitlab</h1>
<div class="level1">
<p>
<img src="gitlab_logo.png" class="mediacenter" alt="" />
</p>
</div>
<!-- EDIT1 SECTION "Gitlab" [1-67] -->
<h2 class="sectionedit2" id="presentation">Presentation</h2>
<div class="level2">
<p>
See <a href="https://about.gitlab.com/" class="urlextern" title="https://about.gitlab.com/" rel="nofollow">Gitlab</a> page for product presentation.
</p>
<p>
Gitlab allows one to use <abbr title="Security Assertion Markup Language">SAML</abbr> to authenticate users, see <a href="https://docs.gitlab.com/ee/integration/saml.html" class="urlextern" title="https://docs.gitlab.com/ee/integration/saml.html" rel="nofollow">official documentation</a>
</p>
</div>
<!-- EDIT2 SECTION "Presentation" [68-300] -->
<h2 class="sectionedit3" id="saml">SAML</h2>
<div class="level2">
<p>
For this example, we use these sample values:
</p>
<ul>
<li class="level1"><div class="li"> Gitlab <abbr title="Uniform Resource Locator">URL</abbr> : <a href="https://gitlab.example.com" class="urlextern" title="https://gitlab.example.com" rel="nofollow">https://gitlab.example.com</a></div>
</li>
<li class="level1"><div class="li"> <abbr title="LemonLDAP::NG">LL::NG</abbr> portal <abbr title="Uniform Resource Locator">URL</abbr> : <a href="https://auth.example.com" class="urlextern" title="https://auth.example.com" rel="nofollow">https://auth.example.com</a></div>
</li>
</ul>
</div>
<!-- EDIT3 SECTION "SAML" [301-457] -->
<h3 class="sectionedit4" id="gitlab_configuration">Gitlab configuration</h3>
<div class="level3">
<p>
Find the gitlab.rb file and add these settings:
</p>
<pre class="code">vi /etc/gitlab/gitlab.rb</pre>
<pre class="code file ruby">gitlab_rails<span class="br0">&#91;</span><span class="st0">'omniauth_enabled'</span><span class="br0">&#93;</span> = <span class="kw2">true</span>
gitlab_rails<span class="br0">&#91;</span><span class="st0">'omniauth_allow_single_sign_on'</span><span class="br0">&#93;</span> = <span class="br0">&#91;</span><span class="st0">'saml'</span><span class="br0">&#93;</span>
gitlab_rails<span class="br0">&#91;</span><span class="st0">'omniauth_auto_link_saml_user'</span><span class="br0">&#93;</span> = <span class="kw2">true</span>
gitlab_rails<span class="br0">&#91;</span><span class="st0">'omniauth_block_auto_created_users'</span><span class="br0">&#93;</span> = <span class="kw2">false</span>
&nbsp;
gitlab_rails<span class="br0">&#91;</span><span class="st0">'omniauth_providers'</span><span class="br0">&#93;</span> = <span class="br0">&#91;</span>
<span class="br0">&#123;</span>
name: <span class="st0">'saml'</span>,
args: <span class="br0">&#123;</span>
assertion_consumer_service_url: <span class="st0">'https://gitlab.example.com/users/auth/saml/callback'</span>,
idp_cert_fingerprint: <span class="st0">'99:BE:7B:68:3F:XX:7D:EF:6B:C3:XX:C0:0E:XX:D4:EA:02:XX:83:2A'</span>,
idp_sso_target_url: <span class="st0">'https://auth.example.com/saml/singleSignOn'</span>,
issuer: <span class="st0">'https://gitlab.example.com'</span>,
name_identifier_format: <span class="st0">'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'</span>
<span class="br0">&#125;</span>,
label: <span class="st0">'Login with LL::NG'</span> <span class="co1"># optional label for SAML login button</span>
<span class="br0">&#125;</span>
<span class="br0">&#93;</span></pre>
<div class="notetip">To get the fingerprint of IDP certificate, copy <abbr title="Security Assertion Markup Language">SAML</abbr> certificate from <abbr title="LemonLDAP::NG">LL::NG</abbr> configuration in a file and use openssl:
<pre class="code">openssl x509 -in CERT.pem -noout -fingerprint</pre>
</div>
<p>
You can force <abbr title="Security Assertion Markup Language">SAML</abbr> by default with this option:
</p>
<pre class="code file ruby">gitlab_rails<span class="br0">&#91;</span><span class="st0">'omniauth_auto_sign_in_with_provider'</span><span class="br0">&#93;</span> = <span class="st0">'saml'</span></pre>
<p>
In this case, users won&#039;t be able to log directly on gitlab. Set it once you are sure the <abbr title="Security Assertion Markup Language">SAML</abbr> configuration is valid.
</p>
<p>
To apply changes:
</p>
<pre class="code">gitlab-ctl reconfigure</pre>
</div>
<!-- EDIT4 SECTION "Gitlab configuration" [458-1850] -->
<h3 class="sectionedit5" id="llng_configuration">LL::NG configuration</h3>
<div class="level3">
<p>
We suppose <abbr title="LemonLDAP::NG">LL::NG</abbr> is configured as <abbr title="Security Assertion Markup Language">SAML</abbr> IDP, and that you converted the public key into a certificate for <abbr title="Security Assertion Markup Language">SAML</abbr> signature. You must enable the option to send certificates in response. If you don&#039;t want to, you need to copy the certificate value into Gitlab configuration, in `idp_cert` parameter.
</p>
<p>
You can get Gitlab <abbr title="Security Assertion Markup Language">SAML</abbr> metadata on <a href="https://gitlab.example.com/users/auth/saml/metadata" class="urlextern" title="https://gitlab.example.com/users/auth/saml/metadata" rel="nofollow">https://gitlab.example.com/users/auth/saml/metadata</a>
</p>
<p>
Register them in <abbr title="LemonLDAP::NG">LL::NG</abbr> and send these <abbr title="Security Assertion Markup Language">SAML</abbr> attributes:
</p>
<ul>
<li class="level1"><div class="li"> mail =&gt; email</div>
</li>
<li class="level1"><div class="li"> uid =&gt; uid</div>
</li>
<li class="level1"><div class="li"> cn =&gt; name</div>
</li>
</ul>
<div class="noteimportant">The value from <abbr title="LemonLDAP::NG">LL::NG</abbr> mail session attribute must be the email of the user in Gitlab database, in order to associate accounts.
</div>
</div>
<!-- EDIT5 SECTION "LL::NG configuration" [1851-2525] -->
<h3 class="sectionedit6" id="manage_groups">Manage groups</h3>
<div class="level3">
<p>
You can pass groups to Gitlab. For this, declare groups attribute in gitlab.rb:
</p>
<pre class="code file ruby">...
<span class="me1">gitlab_rails</span><span class="br0">&#91;</span><span class="st0">'omniauth_providers'</span><span class="br0">&#93;</span> = <span class="br0">&#91;</span>
<span class="br0">&#123;</span>
name: <span class="st0">'saml'</span>,
groups_attribute: <span class="st0">'groups'</span>,
...</pre>
<p>
And in <abbr title="LemonLDAP::NG">LL::NG</abbr>, export the groups attribute:
</p>
<ul>
<li class="level1"><div class="li"> groups =&gt; groups</div>
</li>
</ul>
</div>
<!-- EDIT6 SECTION "Manage groups" [2526-2818] -->
<h2 class="sectionedit7" id="openid_connect">OpenID Connect</h2>
<div class="level2">
<p>
<strong>Alternatively</strong> to <abbr title="Security Assertion Markup Language">SAML</abbr>, you can choose to configure Gitlab to use OpenID Connect.
</p>
</div>
<!-- EDIT7 SECTION "OpenID Connect" [2819-2932] -->
<h3 class="sectionedit8" id="gitlab_configuration1">Gitlab configuration</h3>
<div class="level3">
<p>
In <code>/etc/gitlab/gitlab.rb</code>
</p>
<pre class="code file ruby">...
<span class="me1">gitlab_rails</span><span class="br0">&#91;</span><span class="st0">'omniauth_allow_single_sign_on'</span><span class="br0">&#93;</span> = <span class="br0">&#91;</span><span class="st0">'openid_connect'</span><span class="br0">&#93;</span>
gitlab_rails<span class="br0">&#91;</span><span class="st0">'omniauth_block_auto_created_users'</span><span class="br0">&#93;</span> = <span class="kw2">false</span>
&nbsp;
gitlab_rails<span class="br0">&#91;</span><span class="st0">'omniauth_providers'</span><span class="br0">&#93;</span> = <span class="br0">&#91;</span>
<span class="br0">&#123;</span> <span class="st0">'name'</span> <span class="sy0">=&gt;</span> <span class="st0">'openid_connect'</span>,
<span class="st0">'label'</span> <span class="sy0">=&gt;</span> <span class="st0">'LemonLDAP::NG'</span>,
<span class="st0">'args'</span> <span class="sy0">=&gt;</span> <span class="br0">&#123;</span>
<span class="st0">'name'</span> <span class="sy0">=&gt;</span> <span class="st0">'openid_connect'</span>,
<span class="st0">'issuer'</span> <span class="sy0">=&gt;</span> <span class="st0">'https://auth.example.com'</span>,
<span class="st0">'scope'</span> <span class="sy0">=&gt;</span> <span class="br0">&#91;</span><span class="st0">'openid'</span>, <span class="st0">'profile'</span>, <span class="st0">'email'</span><span class="br0">&#93;</span>,
<span class="st0">'response_type'</span> <span class="sy0">=&gt;</span> <span class="st0">'code'</span>,
<span class="st0">'client_auth_method'</span> <span class="sy0">=&gt;</span> <span class="st0">'client_secret_post'</span>,
<span class="st0">'discovery'</span> <span class="sy0">=&gt;</span> <span class="kw2">true</span>,
<span class="st0">'uid_field'</span> <span class="sy0">=&gt;</span> <span class="st0">'sub'</span>,
<span class="st0">'client_options'</span> <span class="sy0">=&gt;</span> <span class="br0">&#123;</span>
<span class="st0">'redirect_uri'</span> <span class="sy0">=&gt;</span> <span class="st0">'http://gitlab.example.com/users/auth/openid_connect/callback'</span>,
<span class="st0">'identifier'</span> <span class="sy0">=&gt;</span> <span class="st0">'LEMONLDAP_CLIENT_ID'</span>,
<span class="st0">'secret'</span> <span class="sy0">=&gt;</span> <span class="st0">'LEMONLDAP_CLIENT_SECRET'</span>,
<span class="br0">&#125;</span>
<span class="br0">&#125;</span>
<span class="br0">&#125;</span>
<span class="br0">&#93;</span>;
&nbsp;
...</pre>
</div>
<!-- EDIT8 SECTION "Gitlab configuration" [2933-3771] -->
<h3 class="sectionedit9" id="llng_configuration1">LL::NG configuration</h3>
<div class="level3">
<p>
Add an OpenID Connect RP to LemonLDAP::NG
</p>
<ul>
<li class="level1"><div class="li"> Chose a client ID and a client secret, and write the same values in the <code>gitlab.rb</code> file above</div>
</li>
<li class="level1"><div class="li"> You need to chose an asymetrical signature algorithm for the ID Token (RS256 or above)</div>
</li>
<li class="level1"><div class="li"> You also need to set a key identifier on your LemonLDAP::NG server in <code>OpenID Connect service</code> » <code>Security</code> » <code>Signing key ID</code> (use something like <code>default</code> as the value). </div>
</li>
<li class="level1"><div class="li"> Make sure the attribute containing the user email in the LemonLDAP::NG session is mapped to the <code>email</code> claim.</div>
</li>
</ul>
<div class="noteclassic">You need to set a key identifier, or you will get a <em>JSON::JWK::Set::KidNotFound</em> error on Gitlab
</div>
</div>
<!-- EDIT9 SECTION "LL::NG configuration" [3772-] --></div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink