gitlab.html 9.28 KB
Newer Older
Yadd's avatar
Yadd committed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
  <meta charset="utf-8" />
  <title>documentation:2.0:applications:gitlab</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="keywords" content="documentation,2.0,applications,gitlab"/>
<link rel="search" type="application/opensearchdescription+xml" href="../lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="gitlab.html"/>
<link rel="contents" href="gitlab.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="../lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
  <link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
  <link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
  <link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
  <link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0:applications';var JSINFO = {"id":"documentation:2.0:applications:gitlab","namespace":"documentation:2.0:applications"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="../lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
  <script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
  <script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
  <script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
//else -->
  <script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
<!-- //endif -->
</head>
<body>
<div class="dokuwiki export container">
<!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>

<ul class="toc">
<li class="level1"><div class="li"><a href="#presentation">Presentation</a></div></li>
<li class="level1"><div class="li"><a href="#saml">SAML</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#gitlab_configuration">Gitlab configuration</a></div></li>
<li class="level2"><div class="li"><a href="#llng_configuration">LL::NG configuration</a></div></li>
<li class="level2"><div class="li"><a href="#manage_groups">Manage groups</a></div></li>
</ul></li>
</ul>
</div>
</div>
<!-- TOC END -->

<h1 class="sectionedit1" id="gitlab">Gitlab</h1>
<div class="level1">

<p>
<img src="gitlab_logo.png" class="mediacenter" alt="" />
</p>

</div>
<!-- EDIT1 SECTION "Gitlab" [1-67] -->
<h2 class="sectionedit2" id="presentation">Presentation</h2>
<div class="level2">

<p>
See <a href="https://about.gitlab.com/" class="urlextern" title="https://about.gitlab.com/"  rel="nofollow">Gitlab</a> page for product presentation.
</p>

<p>
Gitlab allows to use <abbr title="Security Assertion Markup Language">SAML</abbr> to authenticate users, see <a href="https://docs.gitlab.com/ee/integration/saml.html" class="urlextern" title="https://docs.gitlab.com/ee/integration/saml.html"  rel="nofollow">official documentation</a>
</p>

</div>
<!-- EDIT2 SECTION "Presentation" [68-296] -->
<h2 class="sectionedit3" id="saml">SAML</h2>
<div class="level2">

<p>
For this example, we use these sample values:
 * Gitlab <abbr title="Uniform Resource Locator">URL</abbr> : <a href="https://gitlab.example.com" class="urlextern" title="https://gitlab.example.com"  rel="nofollow">https://gitlab.example.com</a>
 * <abbr title="LemonLDAP::NG">LL::NG</abbr> portal <abbr title="Uniform Resource Locator">URL</abbr> : <a href="https://auth.example.com" class="urlextern" title="https://auth.example.com"  rel="nofollow">https://auth.example.com</a>
</p>

</div>
<!-- EDIT3 SECTION "SAML" [297-452] -->
<h3 class="sectionedit4" id="gitlab_configuration">Gitlab configuration</h3>
<div class="level3">

<p>
Find the gitlab.rb file and add these settings:
</p>
<pre class="code">vi /etc/gitlab/gitlab.rb</pre>
<pre class="code file ruby">gitlab_rails<span class="br0">&#91;</span><span class="st0">'omniauth_enabled'</span><span class="br0">&#93;</span> = <span class="kw2">true</span>
gitlab_rails<span class="br0">&#91;</span><span class="st0">'omniauth_allow_single_sign_on'</span><span class="br0">&#93;</span> = <span class="br0">&#91;</span><span class="st0">'saml'</span><span class="br0">&#93;</span>
gitlab_rails<span class="br0">&#91;</span><span class="st0">'omniauth_auto_link_saml_user'</span><span class="br0">&#93;</span> = <span class="kw2">true</span>
gitlab_rails<span class="br0">&#91;</span><span class="st0">'omniauth_block_auto_created_users'</span><span class="br0">&#93;</span> = <span class="kw2">false</span>
&nbsp;
gitlab_rails<span class="br0">&#91;</span><span class="st0">'omniauth_providers'</span><span class="br0">&#93;</span> = <span class="br0">&#91;</span>
  <span class="br0">&#123;</span>
    name: <span class="st0">'saml'</span>,
    args: <span class="br0">&#123;</span>
      assertion_consumer_service_url: <span class="st0">'https://gitlab.example.com/users/auth/saml/callback'</span>,
      idp_cert_fingerprint: <span class="st0">'99:BE:7B:68:3F:XX:7D:EF:6B:C3:XX:C0:0E:XX:D4:EA:02:XX:83:2A'</span>,
      idp_sso_target_url: <span class="st0">'https://auth.example.com/saml/singleSignOn'</span>,
      issuer: <span class="st0">'https://gitlab.example.com'</span>,
      name_identifier_format: <span class="st0">'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'</span>
    <span class="br0">&#125;</span>,
    label: <span class="st0">'Login with LL::NG'</span> <span class="co1"># optional label for SAML login button</span>
  <span class="br0">&#125;</span>
<span class="br0">&#93;</span></pre>
<div class="notetip">To get the fingerprint of IDP certificate, copy <abbr title="Security Assertion Markup Language">SAML</abbr> certificate from <abbr title="LemonLDAP::NG">LL::NG</abbr> configuration in a file and use openssl:
<pre class="code">openssl x509 -in CERT.pem -noout -fingerprint</pre>

</div>
<p>
You can force <abbr title="Security Assertion Markup Language">SAML</abbr> by default with this option:
</p>
<pre class="code file ruby">gitlab_rails<span class="br0">&#91;</span><span class="st0">'omniauth_auto_sign_in_with_provider'</span><span class="br0">&#93;</span> = <span class="st0">'saml'</span></pre>

<p>
In this case, users won&#039;t be able to log directly on gitlab. Set it once you are sure the <abbr title="Security Assertion Markup Language">SAML</abbr> configuration is valid.
</p>

<p>
To apply changes:
</p>
<pre class="code">gitlab-ctl reconfigure</pre>

</div>
<!-- EDIT4 SECTION "Gitlab configuration" [453-1845] -->
<h3 class="sectionedit5" id="llng_configuration">LL::NG configuration</h3>
<div class="level3">

<p>
We suppose <abbr title="LemonLDAP::NG">LL::NG</abbr> is configured as <abbr title="Security Assertion Markup Language">SAML</abbr> IDP, and that you converted the public key into a certificate for <abbr title="Security Assertion Markup Language">SAML</abbr> signature. You must enable the option to send certificates in response. If you don&#039;t want to, you need to copy the certificate value into Gitlab configuration, in `idp_cert` parameter.
</p>

<p>
You can get Gitlab <abbr title="Security Assertion Markup Language">SAML</abbr> metadata on <a href="https://gitlab.example.com/users/auth/saml/metadata" class="urlextern" title="https://gitlab.example.com/users/auth/saml/metadata"  rel="nofollow">https://gitlab.example.com/users/auth/saml/metadata</a>
</p>

<p>
Register them in <abbr title="LemonLDAP::NG">LL::NG</abbr> and send these <abbr title="Security Assertion Markup Language">SAML</abbr> attributes:
</p>
<ul>
<li class="level1"><div class="li"> mail ⇒ email</div>
</li>
<li class="level1"><div class="li"> uid ⇒ uid</div>
</li>
<li class="level1"><div class="li"> cn ⇒ name</div>
</li>
</ul>
<div class="noteimportant">The value from <abbr title="LemonLDAP::NG">LL::NG</abbr> mail session attribute must be the email of the user in Gitlab database, in order to associate accounts.
</div>
</div>
<!-- EDIT5 SECTION "LL::NG configuration" [1846-2520] -->
<h3 class="sectionedit6" id="manage_groups">Manage groups</h3>
<div class="level3">

<p>
You can pass groups to Gitlab. For this, declare groups attribute in gitlab.rb:
</p>
<pre class="code file ruby">...
<span class="me1">gitlab_rails</span><span class="br0">&#91;</span><span class="st0">'omniauth_providers'</span><span class="br0">&#93;</span> = <span class="br0">&#91;</span>
  <span class="br0">&#123;</span>
    name: <span class="st0">'saml'</span>,
    groups_attribute: <span class="st0">'groups'</span>,
...</pre>

<p>
And in <abbr title="LemonLDAP::NG">LL::NG</abbr>, export the groups attribute:
</p>
<ul>
<li class="level1"><div class="li"> groups ⇒ groups</div>
</li>
</ul>

</div>
<!-- EDIT6 SECTION "Manage groups" [2521-] --></div>
</body>
</html>