...
It is possible to connect a Gitlab instance with eduTEAMS either as a SAML Service Provider or an OIDC client. The integration via SAML provides more benefits as the SAML implementation in Gitlab has (limited) support for authorizing users using groups. The OIDC implementation in Gitlab supports only authenticating users. As a reference this guide is available: https://docs.gitlab.com/13.0/ee/integration/saml.html .
In order to configure your Gitlab for eduTEAMS, you need the following information:
proxyeduteams.org/saml2sp/sso/redirectThis is the eduTEAMS endpoint supporting the HTTP-Redirect SAML 2.0 Binding Basic integration
In the basic integration, all users from your VO will be able to authenticate via eduTEAMS and access the Gitlab service.
Below is an example configuration:
/etc/gitlab/gitlab.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30 |
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_auto_link_saml_user'] = true
gitlab_rails['omniauth_providers'] = [
{
name: 'saml',
label: 'eduTEAMS',
args: {
assertion_consumer_service_url: 'https://gitlab.example.com/users/auth/saml/callback',
idp_cert_fingerprint: '72:8A:6C:6B:63:35:3F:E0:BF:70:8D:41:0E:B7:02:CF:C5:86:53:24',
idp_sso_target_url: 'https://proxy.eduteams.org/saml2sp/sso/redirect',
issuer: 'https://proxy.eduteams.org/proxy',
name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
uid: ["urn:oasis:names:tc:SAML:attribute:subject-id"],
email: ["urn:oid:0.9.2342.19200300.100.1.3",],
first_name: ["urn:oid:2.5.4.42"],
last_name: ["urn:oid:2.5.4.4"]
},
groups_attribute: 'urn:oid:1.3.6.1.4.1.5923.1.1.1.7',
required_groups: [],
admin_groups: [],
audit_groups: []
}
]
|
Advanced integration
The SAML login in Gitlab includes support for limiting access to specific groups from your VO. You can control which groups can access the Gitlab instance using the required_groups configuration option. When required_groups is not set or it is empty, anyone with proper authentication will be able to use the service.
...
Below is an example configuration:
/etc/gitlab/gitlab.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58 |
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_auto_link_saml_user'] = true
gitlab_rails['omniauth_providers'] = [
{
name: 'saml',
label: 'eduTEAMS',
args: {
assertion_consumer_service_url: 'https://gitlab.example.com/users/auth/saml/callback',
idp_cert_fingerprint: '72:8A:6C:6B:63:35:3F:E0:BF:70:8D:41:0E:B7:02:CF:C5:86:53:24',
idp_sso_target_url: 'https://proxy.eduteams.org/saml2sp/sso/redirect',
issuer: 'https://proxy.eduteams.org/proxy',
name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
uid: ["urn:oasis:names:tc:SAML:attribute:subject-id"],
email: ["urn:oid:0.9.2342.19200300.100.1.3",],
first_name: ["urn:oid:2.5.4.42"],
last_name: ["urn:oid:2.5.4.4"]
},
groups_attribute: 'urn:oid:1.3.6.1.4.1.5923.1.1.1.7',
required_groups: [
'urn:geant:eduteams.org:service:eduteams:group:Test_VO:Developers#eduteams.org',
'urn:geant:eduteams.org:service:eduteams:group:Test_VO:Developers#eduteams.org',
'urn:geant:eduteams.org:service:eduteams:group:Test_VO:Admins:Gitlab#eduteams.org',
'urn:geant:eduteams.org:service:eduteams:group:Test_VO:Admin:Gitlab:Auditors#eduteams.org',
],
admin_groups: [
'urn:geant:eduteams.org:service:eduteams:group:Test_VO:Admins:Gitlab#eduteams.org',
],
audit_groups: [
'urn:geant:eduteams.org:service:eduteams:group:Test_VO:Admins:Gitlab:Auditors#eduteams.org',
],
external_groups: [
'urn:geant:eduteams.org:service:eduteams:group:Test_VO:Guests#eduteams.org',
'urn:geant:eduteams.org:service:eduteams:group:Test_VO:Conractors#eduteams.org',
}
}
]
|
Next Steps
Check the SAML metadata URL of the Gitlab instance at https://gitlab.example.com/users/auth/saml/metadata (replace gitlab.example.com with the domain of your Gitlab instance). You should should something like the following:
Gitlab SAML Metadata
1
2
3
4
5
6
7
8
9
10
11
12
13
14 | <?xml version='1.0' encoding='UTF-8'?>
<md:EntityDescriptor ID="_9edb3dae-0919-40ff-b7c0-bffc63ba032b" entityID="https://gitlab.example.com" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://gitlab.example.com/users/auth/saml/callback" index="0" isDefault="true" />
<md:AttributeConsumingService index="1" isDefault="true">
<md:ServiceName xml:lang="en">Required attributes</md:ServiceName>
<md:RequestedAttribute FriendlyName="Email address" Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" isRequired="false" />
<md:RequestedAttribute FriendlyName="Full name" Name="name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" isRequired="false" />
<md:RequestedAttribute FriendlyName="Given name" Name="first_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" isRequired="false" />
<md:RequestedAttribute FriendlyName="Family name" Name="last_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" isRequired="false" />
</md:AttributeConsumingService>
</md:SPSSODescriptor>
</md:EntityDescriptor>
|
Congratulations, you have successfully configured your Gitlab instance for eduTEAMS. Now you can proceed registering your following the steps described in Registering services on the eduTEAMS Service
