This guide describes how Gitlab CE can be configured as a SAML Service Provider for eduTEAMS and it assumes:
- You are using Gitlab v13.x
- You have access to edit the Gitlab configuration file at /etc/gitlab/gitlab.rb
- The URL of your Gitlab instance is https://gitlab.example.com
- The name of your VO is Test_VO
It is possible to connect a Gitlab instance with eduTEAMS either as a SAML Service Provider or an OIDC client. The integration via SAML provides more benefits as the SAML implementation in Gitlab has (limited) support for authorizing users using groups. The OIDC implementation in Gitlab supports only authenticating users. As a reference this guide is available: https://docs.gitlab.com/13.0/ee/integration/saml.html .
In order to configure your Gitlab for eduTEAMS, you need the following information:
|issuer||https://proxy.eduteams.org/proxy||This is the SAML Entity ID of the eduTEAMS SAML Frontend Interface|
|idp_sso_target_url||https://gitlab.example.com||A unique name identifying the gitlab application to the proxy|
|idp_cert_fingerprint||72:8A:6C:6B:63:35:3F:E0:BF:70:8D:41:0E:B7:02:CF:C5:86:53:24||This is the fingerprint of the signing certificate used by the eduTEAMS SAML frontend|
|name_identifier_format||urn:oasis:names:tc:SAML:2.0:nameid-format:persistent||The NameID format requested|
|uid||urn:oasis:names:tc:SAML:attribute:subject-id||See Attributes available to Relying Parties#eduTEAMSIdentifier|
|urn:oid:0.9.2342.19200300.100.1.3||See Attributes available to Relying Parties#Emailaddress|
|first_name||urn:oid:220.127.116.11||See Attributes available to Relying Parties#GivenName|
|last_name||urn:oid:18.104.22.168||See Attributes available to Relying Parties#FamilyName|
|groups_attribute||urn:oid:22.214.171.124.4.1.59126.96.36.199.7||See Attributes available to Relying Parties#Groups|
In the basic integration, all users from your VO will be able to authenticate via eduTEAMS and access the Gitlab service.
Below is an example configuration:
The SAML login in Gitlab includes support for limiting access to specific groups from your VO. You can control which groups can access the Gitlab instance using the
required_groups configuration option. When
required_groups is not set or it is empty, anyone with proper authentication will be able to use the service.
It is also possible to automatically identify whether a user should be considered an external user based on the user’s group membership in your VO in eduTEAMS This feature does not allow you to automatically add users to GitLab Groups, it simply allows you to mark users as External if they are members of certain groups of users. You can control the users of which groups will be marked as External using the the
external_groups configuration option.
This setting works very similarly to the
External Groups setting. The requirements are the same, your IdP needs to pass Group information to GitLab, you need to tell GitLab where to look for the groups in the SAML response, and which group should be considered
This setting also follows the requirements documented for the
External Groups setting. GitLab uses the Group information provided by your IdP to determine if a user should be assigned the
Below is an example configuration:
Check the SAML metadata URL of the Gitlab instance at https://gitlab.example.com/users/auth/saml/metadata (replace gitlab.example.com with the domain of your Gitlab instance). You should should something like the following:
Gitlab SAML Metadata
Congratulations, you have successfully configured your Gitlab instance for eduTEAMS. Now you can proceed registering your following the steps described in Registering services on the eduTEAMS Service