...
- You are using Gitlab v13.x
- You have access to edit the Gitlab configuration file at /etc/gitlab/gitlab.rb
- The URL of your Gitlab instance is
https://gitlab.example.com/ - The name of your VO is Test_VO
...
In order to configure your Gitlab for eduTEAMS, you need the following information:
Basic integration
In the basic integration, all users from your VO will be able to authenticate via eduTEAMS and access the Gitlab service.
The "STEP nnn" comments refer directly to the OmniAuth guide (see the link at the start of this document).
Below is an example configuration:
/etc/gitlab/gitlab.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30 |
|
SECTION
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
gitlab_rails['omniauth_block_auto_created_users'] = false
|
SECTION
gitlab_rails['omniauth_auto_link_saml_user'] = true
|
SECTION
gitlab_rails['omniauth_providers'] = [
{
name: 'saml',
label: 'eduTEAMS',
args: {
assertion_consumer_service_url: 'https://gitlab.example.com/users/auth/saml/callback',
idp_cert_fingerprint: '72:8A:6C:6B:63:35:3F:E0:BF:70:8D:41:0E:B7:02:CF:C5:86:53:24',
idp_sso_target_url: 'https://proxy.eduteams.org/saml2sp/sso/redirect',
issuer: 'https://gitlab.example.com',
name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
uid: ["urn:oasis:names:tc:SAML:attribute:subject-id"],
email: ["urn:oid:0.9.2342.19200300.100.1.3",],
first_name: ["urn:oid:2.5.4.42"],
last_name: ["urn:oid:2.5.4.4"]
},
groups_attribute: 'urn:oid:1.3.6.1.4.1.5923.1.1.1.7',
required_groups: [],
admin_groups: [],
audit_groups: []
}
]
|
Advanced integration
The SAML login in Gitlab includes support for limiting access to specific groups from your VO. You can control which groups can access the Gitlab instance using the required_groups configuration option. When required_groups is not set or it is empty, anyone with proper authentication will be able to use the service.
...
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58 | SECTION
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
gitlab_rails['omniauth_block_auto_created_users'] = false
SECTION
gitlab_rails['omniauth_auto_link_saml_user'] = true
SECTION
gitlab_rails['omniauth_providers'] = [
{
name: 'saml',
label: 'eduTEAMS',
args: {
assertion_consumer_service_url: 'https://gitlab.example.com/users/auth/saml/callback',
idp_cert_fingerprint: '72:8A:6C:6B:63:35:3F:E0:BF:70:8D:41:0E:B7:02:CF:C5:86:53:24',
idp_sso_target_url: 'https://proxy.eduteams.org/saml2sp/sso/redirect',
issuer: 'https://example.gitlab.com',
name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
uid: ["urn:oasis:names:tc:SAML:attribute:subject-id"],
email: ["urn:oid:0.9.2342.19200300.100.1.3",],
first_name: ["urn:oid:2.5.4.42"],
last_name: ["urn:oid:2.5.4.4"]
}, # STEP(s) "Required Groups", "Admin Groups", "Auditor Groups"
groups_attribute: 'urn:oid:1.3.6.1.4.1.5923.1.1.1.7',
required_groups: [
'urn:geant:eduteams.org:service:eduteams:group:Test_VO:Developers#eduteamsDevelopers#eduteams.org',
'urn:geant:eduteams.org:service:eduteams:group:Test_VO:Developers#eduteamsDevelopers#eduteams.org',
'urn:geant:eduteams.org:service:eduteams:group:Test_VO:Admins:Gitlab#eduteamsGitlab#eduteams.org',
'urn:geant:eduteams.org:service:eduteams:group:Test_VO:Admin:Gitlab:Auditors#eduteamsAuditors#eduteams.org',
],
admin_groups: [
'urn:geant:eduteams.org:service:eduteams:group:Test_VO:Admins:Gitlab#eduteamsGitlab#eduteams.org',
],
audit_groups: [
'urn:geant:eduteams.org:service:eduteams:group:Test_VO:Admins:Gitlab:Auditors#eduteamsAuditors#eduteams.org',
],
external_groups: [
'urn:geant:eduteams.org:service:eduteams:group:Test_VO:Guests#eduteamsGuests#eduteams.org',
'urn:geant:eduteams.org:service:eduteams:group:Test_VO:Conractors#eduteamsConractors#eduteams.org', ],
}
}
] |
Next Steps
Check the SAML metadata URL of the Gitlab instance at https://gitlab.example.com/users/auth/saml/metadata (replace gitlab.example.com with the domain of your Gitlab instance). You should should something like the following:
Gitlab SAML Metadata
1
2
3
4
5
6
7
8
9
10
11
12
13
14 | <?xml version='1.0' encoding='UTF-8'?>
<md:EntityDescriptor ID="_9edb3dae-0919-40ff-b7c0-bffc63ba032b" entityID="https://gitlab.example.com/" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://gitlab.example.com/users/auth/saml/callback" index="0" isDefault="true" />
<md:AttributeConsumingService index="1" isDefault="true">
<md:ServiceName xml:lang="en">Required attributes</md:ServiceName>
<md:RequestedAttribute FriendlyName="Email address" Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" isRequired="false" />
<md:RequestedAttribute FriendlyName="Full name" Name="name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" isRequired="false" />
<md:RequestedAttribute FriendlyName="Given name" Name="first_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" isRequired="false" />
<md:RequestedAttribute FriendlyName="Family name" Name="last_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" isRequired="false" />
</md:AttributeConsumingService>
</md:SPSSODescriptor>
</md:EntityDescriptor>
|
...
