Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • You are using Gitlab v13.x
  • You have access to edit the Gitlab configuration file at  /etc/gitlab/gitlab.rb
  • The URL of your Gitlab instance is https://gitlab.example.com/
  • The name of your VO is Test_VO

...

In order to configure your Gitlab for eduTEAMS, you need the following information:

Configuration Option

Value

Description

issuer

(example) https://gitlab.example.com

A unique name identifying the gitlab application to the proxy
idp_sso_target_url

https://proxy.acc.eduteams.org/saml2sp/sso/redirect

This is the eduTEAMS endpoint supporting the HTTP-Redirect SAML 2.0 Binding
idp_cert_fingerprint72:8A:6C:6B:63:35:3F:E0:BF:70:8D:41:0E:B7:02:CF:C5:86:53:24This is the SHA1 fingerprint of the signing certificate used by the eduTEAMS SAML frontend
name_identifier_formaturn:oasis:names:tc:SAML:2.0:nameid-format:persistentThe NameID format requested
uidurn:oasis:names:tc:SAML:attribute:subject-idSee Attributes available to Relying Parties#eduTEAMSIdentifier
emailurn:oid:0.9.2342.19200300.100.1.3See Attributes available to Relying Parties#Emailaddress
first_nameurn:oid:2.5.4.42See Attributes available to Relying Parties#GivenName
last_nameurn:oid:2.5.4.4See Attributes available to Relying Parties#FamilyName
groups_attributeurn:oid:1.3.6.1.4.1.5923.1.1.1.7See Attributes available to Relying Parties#Groups

Basic integration

In the basic integration, all users from your VO will be able to authenticate via eduTEAMS and access the Gitlab service.

The "STEP nnn" comments refer directly to the OmniAuth guide (see the link at the start of this document).

Below is an example configuration:
/etc/gitlab/gitlab.rb

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

#

SECTION

STEP 3
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
gitlab_rails['omniauth_block_auto_created_users'] = false
 
#

SECTION

STEP 4
gitlab_rails['omniauth_auto_link_saml_user'] = true
 
#

SECTION

STEP 6
gitlab_rails['omniauth_providers'] = [
   {
      name: 'saml',
      label: 'eduTEAMS',
      args: {
         assertion_consumer_service_url: 'https://gitlab.example.com/users/auth/saml/callback',
         idp_cert_fingerprint: '72:8A:6C:6B:63:35:3F:E0:BF:70:8D:41:0E:B7:02:CF:C5:86:53:24',
         idp_sso_target_url: 'https://proxy.eduteams.org/saml2sp/sso/redirect',
         issuer: 'https://gitlab.example.com',
         name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
         uid: ["urn:oasis:names:tc:SAML:attribute:subject-id"],
         email: ["urn:oid:0.9.2342.19200300.100.1.3",],
         first_name: ["urn:oid:2.5.4.42"],
         last_name: ["urn:oid:2.5.4.4"]
      },
      groups_attribute: 'urn:oid:1.3.6.1.4.1.5923.1.1.1.7',
      required_groups: [],
      admin_groups: [],
      audit_groups: []
   }
]

Advanced integration

The SAML login in Gitlab includes support for limiting access to specific groups from your VO. You can control which groups can access the Gitlab instance using the required_groups configuration option. When required_groups is not set or it is empty, anyone with proper authentication will be able to use the service.

...

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58

# SECTION STEP 3
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
gitlab_rails['omniauth_block_auto_created_users'] = false
 
# SECTION STEP 4
gitlab_rails['omniauth_auto_link_saml_user'] = true
 
# SECTION STEP 6
gitlab_rails['omniauth_providers'] = [
   {
      name: 'saml',
      label: 'eduTEAMS',
      args: {
         assertion_consumer_service_url: 'https://gitlab.example.com/users/auth/saml/callback',
         idp_cert_fingerprint: '72:8A:6C:6B:63:35:3F:E0:BF:70:8D:41:0E:B7:02:CF:C5:86:53:24',
         idp_sso_target_url: 'https://proxy.eduteams.org/saml2sp/sso/redirect',
         issuer: 'https://example.gitlab.com',
         name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
         uid: ["urn:oasis:names:tc:SAML:attribute:subject-id"],
         email: ["urn:oid:0.9.2342.19200300.100.1.3",],
         first_name: ["urn:oid:2.5.4.42"],
         last_name: ["urn:oid:2.5.4.4"]
      },

             # STEP(s) "Required Groups", "Admin Groups", "Auditor Groups"
      groups_attribute: 'urn:oid:1.3.6.1.4.1.5923.1.1.1.7',
      # Only the following groups in the Test_VO will be able to access this Gitlab instance:
      #
      # - Developers
      # - Admins:Gitlab
      # - Admins:Gitlab:Auditors
      required_groups: [
          'urn:geant:eduteams.org:service:eduteams:group:Test_VO:Developers#eduteamsDevelopers#eduteams.org',
          'urn:geant:eduteams.org:service:eduteams:group:Test_VO:Developers#eduteamsDevelopers#eduteams.org',
          'urn:geant:eduteams.org:service:eduteams:group:Test_VO:Admins:Gitlab#eduteamsGitlab#eduteams.org',
          'urn:geant:eduteams.org:service:eduteams:group:Test_VO:Admin:Gitlab:Auditors#eduteamsAuditors#eduteams.org',
      ],
      # Users from the following groups in the Test_VO will access this Gitlab instance as admins 
      #
      # - Admins:Gitlab:
      admin_groups: [
          'urn:geant:eduteams.org:service:eduteams:group:Test_VO:Admins:Gitlab#eduteamsGitlab#eduteams.org',
      ],
      # Users from the following groups in the Test_VO will access this Gitlab instance as auditors:
      #
      # - Admins:Gitlab:Auditors
      audit_groups: [
          'urn:geant:eduteams.org:service:eduteams:group:Test_VO:Admins:Gitlab:Auditors#eduteamsAuditors#eduteams.org',
      ],
      # Users from the following gorup in the Test_VO will access the Gitlab instance external users
      #
      # - Guests
      # - Contractors
      external_groups: [
          'urn:geant:eduteams.org:service:eduteams:group:Test_VO:Guests#eduteamsGuests#eduteams.org',
          'urn:geant:eduteams.org:service:eduteams:group:Test_VO:Conractors#eduteamsConractors#eduteams.org',

             ],
      }
   }
]

Next Steps

Check the SAML metadata URL of the Gitlab instance at https://gitlab.example.com/users/auth/saml/metadata (replace gitlab.example.com with the domain of your Gitlab instance). You should should something like the following:
Gitlab SAML Metadata

1
2
3
4
5
6
7
8
9
10
11
12
13
14

<?xml version='1.0' encoding='UTF-8'?>
<md:EntityDescriptor ID="_9edb3dae-0919-40ff-b7c0-bffc63ba032b" entityID="https://gitlab.example.com/" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
    <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://gitlab.example.com/users/auth/saml/callback" index="0" isDefault="true" />
        <md:AttributeConsumingService index="1" isDefault="true">
            <md:ServiceName xml:lang="en">Required attributes</md:ServiceName>
            <md:RequestedAttribute FriendlyName="Email address" Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" isRequired="false" />
            <md:RequestedAttribute FriendlyName="Full name" Name="name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" isRequired="false" />
            <md:RequestedAttribute FriendlyName="Given name" Name="first_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" isRequired="false" />
            <md:RequestedAttribute FriendlyName="Family name" Name="last_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" isRequired="false" />
        </md:AttributeConsumingService>
    </md:SPSSODescriptor>
</md:EntityDescriptor>

...