gitlab.html 9.28 KB
Newer Older
Xavier Guimard's avatar
Xavier Guimard committed
1 2 3 4 5 6
<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
  <meta charset="utf-8" />
  <title>documentation:2.0:applications:gitlab</title>
<meta name="generator" content="DokuWiki"/>
Xavier Guimard's avatar
Xavier Guimard committed
7
<meta name="robots" content="index,follow"/>
Xavier Guimard's avatar
Xavier Guimard committed
8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192
<meta name="keywords" content="documentation,2.0,applications,gitlab"/>
<link rel="search" type="application/opensearchdescription+xml" href="../lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="gitlab.html"/>
<link rel="contents" href="gitlab.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="../lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
  <link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
  <link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
  <link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
  <link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0:applications';var JSINFO = {"id":"documentation:2.0:applications:gitlab","namespace":"documentation:2.0:applications"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="../lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
  <script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
  <script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
  <script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
//else -->
  <script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
<!-- //endif -->
</head>
<body>
<div class="dokuwiki export container">
<!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>

<ul class="toc">
<li class="level1"><div class="li"><a href="#presentation">Presentation</a></div></li>
<li class="level1"><div class="li"><a href="#saml">SAML</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#gitlab_configuration">Gitlab configuration</a></div></li>
<li class="level2"><div class="li"><a href="#llng_configuration">LL::NG configuration</a></div></li>
<li class="level2"><div class="li"><a href="#manage_groups">Manage groups</a></div></li>
</ul></li>
</ul>
</div>
</div>
<!-- TOC END -->

<h1 class="sectionedit1" id="gitlab">Gitlab</h1>
<div class="level1">

<p>
<img src="gitlab_logo.png" class="mediacenter" alt="" />
</p>

</div>
<!-- EDIT1 SECTION "Gitlab" [1-67] -->
<h2 class="sectionedit2" id="presentation">Presentation</h2>
<div class="level2">

<p>
See <a href="https://about.gitlab.com/" class="urlextern" title="https://about.gitlab.com/"  rel="nofollow">Gitlab</a> page for product presentation.
</p>

<p>
Gitlab allows to use <abbr title="Security Assertion Markup Language">SAML</abbr> to authenticate users, see <a href="https://docs.gitlab.com/ee/integration/saml.html" class="urlextern" title="https://docs.gitlab.com/ee/integration/saml.html"  rel="nofollow">official documentation</a>
</p>

</div>
<!-- EDIT2 SECTION "Presentation" [68-296] -->
<h2 class="sectionedit3" id="saml">SAML</h2>
<div class="level2">

<p>
For this example, we use these sample values:
 * Gitlab <abbr title="Uniform Resource Locator">URL</abbr> : <a href="https://gitlab.example.com" class="urlextern" title="https://gitlab.example.com"  rel="nofollow">https://gitlab.example.com</a>
 * <abbr title="LemonLDAP::NG">LL::NG</abbr> portal <abbr title="Uniform Resource Locator">URL</abbr> : <a href="https://auth.example.com" class="urlextern" title="https://auth.example.com"  rel="nofollow">https://auth.example.com</a>
</p>

</div>
<!-- EDIT3 SECTION "SAML" [297-452] -->
<h3 class="sectionedit4" id="gitlab_configuration">Gitlab configuration</h3>
<div class="level3">

<p>
Find the gitlab.rb file and add these settings:
</p>
<pre class="code">vi /etc/gitlab/gitlab.rb</pre>
<pre class="code file ruby">gitlab_rails<span class="br0">&#91;</span><span class="st0">'omniauth_enabled'</span><span class="br0">&#93;</span> = <span class="kw2">true</span>
gitlab_rails<span class="br0">&#91;</span><span class="st0">'omniauth_allow_single_sign_on'</span><span class="br0">&#93;</span> = <span class="br0">&#91;</span><span class="st0">'saml'</span><span class="br0">&#93;</span>
gitlab_rails<span class="br0">&#91;</span><span class="st0">'omniauth_auto_link_saml_user'</span><span class="br0">&#93;</span> = <span class="kw2">true</span>
gitlab_rails<span class="br0">&#91;</span><span class="st0">'omniauth_block_auto_created_users'</span><span class="br0">&#93;</span> = <span class="kw2">false</span>
&nbsp;
gitlab_rails<span class="br0">&#91;</span><span class="st0">'omniauth_providers'</span><span class="br0">&#93;</span> = <span class="br0">&#91;</span>
  <span class="br0">&#123;</span>
    name: <span class="st0">'saml'</span>,
    args: <span class="br0">&#123;</span>
      assertion_consumer_service_url: <span class="st0">'https://gitlab.example.com/users/auth/saml/callback'</span>,
      idp_cert_fingerprint: <span class="st0">'99:BE:7B:68:3F:XX:7D:EF:6B:C3:XX:C0:0E:XX:D4:EA:02:XX:83:2A'</span>,
      idp_sso_target_url: <span class="st0">'https://auth.example.com/saml/singleSignOn'</span>,
      issuer: <span class="st0">'https://gitlab.example.com'</span>,
      name_identifier_format: <span class="st0">'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'</span>
    <span class="br0">&#125;</span>,
    label: <span class="st0">'Login with LL::NG'</span> <span class="co1"># optional label for SAML login button</span>
  <span class="br0">&#125;</span>
<span class="br0">&#93;</span></pre>
<div class="notetip">To get the fingerprint of IDP certificate, copy <abbr title="Security Assertion Markup Language">SAML</abbr> certificate from <abbr title="LemonLDAP::NG">LL::NG</abbr> configuration in a file and use openssl:
<pre class="code">openssl x509 -in CERT.pem -noout -fingerprint</pre>

</div>
<p>
You can force <abbr title="Security Assertion Markup Language">SAML</abbr> by default with this option:
</p>
<pre class="code file ruby">gitlab_rails<span class="br0">&#91;</span><span class="st0">'omniauth_auto_sign_in_with_provider'</span><span class="br0">&#93;</span> = <span class="st0">'saml'</span></pre>

<p>
In this case, users won&#039;t be able to log directly on gitlab. Set it once you are sure the <abbr title="Security Assertion Markup Language">SAML</abbr> configuration is valid.
</p>

<p>
To apply changes:
</p>
<pre class="code">gitlab-ctl reconfigure</pre>

</div>
<!-- EDIT4 SECTION "Gitlab configuration" [453-1845] -->
<h3 class="sectionedit5" id="llng_configuration">LL::NG configuration</h3>
<div class="level3">

<p>
We suppose <abbr title="LemonLDAP::NG">LL::NG</abbr> is configured as <abbr title="Security Assertion Markup Language">SAML</abbr> IDP, and that you converted the public key into a certificate for <abbr title="Security Assertion Markup Language">SAML</abbr> signature. You must enable the option to send certificates in response. If you don&#039;t want to, you need to copy the certificate value into Gitlab configuration, in `idp_cert` parameter.
</p>

<p>
You can get Gitlab <abbr title="Security Assertion Markup Language">SAML</abbr> metadata on <a href="https://gitlab.example.com/users/auth/saml/metadata" class="urlextern" title="https://gitlab.example.com/users/auth/saml/metadata"  rel="nofollow">https://gitlab.example.com/users/auth/saml/metadata</a>
</p>

<p>
Register them in <abbr title="LemonLDAP::NG">LL::NG</abbr> and send these <abbr title="Security Assertion Markup Language">SAML</abbr> attributes:
</p>
<ul>
<li class="level1"><div class="li"> mail ⇒ email</div>
</li>
<li class="level1"><div class="li"> uid ⇒ uid</div>
</li>
<li class="level1"><div class="li"> cn ⇒ name</div>
</li>
</ul>
<div class="noteimportant">The value from <abbr title="LemonLDAP::NG">LL::NG</abbr> mail session attribute must be the email of the user in Gitlab database, in order to associate accounts.
</div>
</div>
<!-- EDIT5 SECTION "LL::NG configuration" [1846-2520] -->
<h3 class="sectionedit6" id="manage_groups">Manage groups</h3>
<div class="level3">

<p>
You can pass groups to Gitlab. For this, declare groups attribute in gitlab.rb:
</p>
<pre class="code file ruby">...
<span class="me1">gitlab_rails</span><span class="br0">&#91;</span><span class="st0">'omniauth_providers'</span><span class="br0">&#93;</span> = <span class="br0">&#91;</span>
  <span class="br0">&#123;</span>
    name: <span class="st0">'saml'</span>,
    groups_attribute: <span class="st0">'groups'</span>,
...</pre>

<p>
And in <abbr title="LemonLDAP::NG">LL::NG</abbr>, export the groups attribute:
</p>
<ul>
<li class="level1"><div class="li"> groups ⇒ groups</div>
</li>
</ul>

</div>
<!-- EDIT6 SECTION "Manage groups" [2521-] --></div>
</body>
</html>