This guide describes how Gitlab CE v13.x can be configured as a SAML Service Provider for eduTEAMS. The integration via SAML provides more benefits than the integration via OIDC, as the SAML implementation in Gitlab has (limited) support for authorizing users using groups. The OIDC implementation in Gitlab supports only authenticating users.
The SAML login in Gitlab includes support for limiting access to specific groups from your VO and authorizing users using these groups. There are four groups types that can be configured: required, admin, audit and external.
2. Once you edited the omniauth section of the /etc/gitlab/gitlab.rb file as above indicated, you need to reconfigure gitlab with the command:
sudo gitlab-ctl reconfigure
4. Congratulations, you have successfully configured your Gitlab instance for eduTEAMS. Now you can proceed to register your service following the steps described in Registering services on the eduTEAMS Service.
TO BE DELETED
This guide describes how Gitlab CE can be configured as a SAML Service Provider for eduTEAMS and it assumes:
It is possible to connect a Gitlab instance with eduTEAMS as a SAML Service Provider. The integration via SAML provides more benefits as the SAML implementation in Gitlab has (limited) support for authorizing users using groups. The OIDC implementation in Gitlab supports only authenticating users. As a reference this guide is available: https://docs.gitlab.com/13.0/ee/integration/saml.html .
In order to configure your Gitlab for eduTEAMS, you need the following information:
|issuer||A unique name identifying the gitlab application to the proxy|
|idp_sso_target_url||This is the eduTEAMS endpoint supporting the HTTP-Redirect SAML 2.0 Binding|
|idp_cert_fingerprint||72:8A:6C:6B:63:35:3F:E0:BF:70:8D:41:0E:B7:02:CF:C5:86:53:24||This is the SHA1 fingerprint of the signing certificate used by the eduTEAMS SAML frontend|
|name_identifier_format||urn:oasis:names:tc:SAML:2.0:nameid-format:persistent||The NameID format requested|
|uid||urn:oasis:names:tc:SAML:attribute:subject-id||See Attributes available to Relying Parties#eduTEAMSIdentifier|
|urn:oid:0.9.2342.19200300.100.1.3||See Attributes available to Relying Parties#Emailaddress|
|first_name||urn:oid:188.8.131.52||See Attributes available to Relying Parties#GivenName|
|last_name||urn:oid:184.108.40.206||See Attributes available to Relying Parties#FamilyName|
|groups_attribute||urn:oid:220.127.116.11.4.1.5918.104.22.168.7||See Attributes available to Relying Parties#Groups|
In the basic integration, all users from your VO will be able to authenticate via eduTEAMS and access the Gitlab service.
The "STEP nnn" comments refer directly to the OmniAuth guide (see the link at the start of this document).
Below is an example configuration:
The SAML login in Gitlab includes support for limiting access to specific groups from your VO. You can control which groups can access the Gitlab instance using the
required_groups configuration option. When
required_groups is not set or it is empty, anyone with proper authentication will be able to use the service.
It is also possible to automatically identify whether a user should be considered an external user based on the user’s group membership in your VO in eduTEAMS This feature does not allow you to automatically add users to GitLab Groups, it simply allows you to mark users as External if they are members of certain groups of users. You can control the users of which groups will be marked as External using the the
external_groups configuration option.
This setting works very similarly to the
External Groups setting. The requirements are the same, your IdP needs to pass Group information to GitLab, you need to tell GitLab where to look for the groups in the SAML response, and which group should be considered
This setting also follows the requirements documented for the
External Groups setting. GitLab uses the Group information provided by your IdP to determine if a user should be assigned the
Below is an example configuration:
Check the SAML metadata URL of the Gitlab instance at https://gitlab.example.com/users/auth/saml/metadata (replace gitlab.example.com with the domain of your Gitlab instance). You should should something like the following:
Gitlab SAML Metadata
Congratulations, you have successfully configured your Gitlab instance for eduTEAMS. Now you can proceed registering your following the steps described in Registering services on the eduTEAMS Service