VMware/GITLAB
Jump to navigation
Jump to search
Setting up GITLAB with SSO
1. vi /etc/gitlab/gitlab.rb
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
gitlab_rails['omniauth_sync_email_from_provider'] = 'saml'
gitlab_rails['omniauth_sync_profile_from_provider'] = ['saml']
gitlab_rails['omniauth_sync_profile_attributes'] = ['email']
gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'saml'
gitlab_rails['omniauth_block_auto_created_users'] = false
#gitlab_rails['omniauth_auto_link_ldap_user'] = true
gitlab_rails['omniauth_auto_link_saml_user'] = true
#gitlab_rails['omniauth_external_providers'] = ['twitter', 'google_oauth2']
#gitlab_rails['omniauth_allow_bypass_two_factor'] = ['google_oauth2']
gitlab_rails['omniauth_providers'] = [
{
"name" => "saml",
"args" => {
assertion_consumer_service_url: 'https://gitlab.dersllc.com/users/auth/saml/callback',
idp_cert: '-----BEGIN CERTIFICATE-----
MIIEDTCCAnWgAwIBAgIFX8pgs88wDQYJKoZIhvcNAQELBQAwPzEgMB4GA1UEAwwX
Vk13YXJlIElkZW50aXR5IE1hbmFnZXIxDjAMBgNVBAoMBUxPR0lOMQswCQYDVQQG
EwJVUzAeFw0yMDA3MDgwMDMzMDBaFw0zMDA3MDYwMDMzMDBaMD8xIDAeBgNVBAMM
F1ZNd2FyZSBJZGVudGl0eSBNYW5hZ2VyMQ4wDAYDVQQKDAVMT0dJTjELMAkGA1UE
BhMCVVMwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCu3PrucCHvTQhQ
+g/dd3t6rNwnCsq7EEZQLgj+kv3yVaBTUvlnmxALR0jR+oHKtg3/ZRvX2R82zUyW
LSe3rtxyg9iQx/0oFXjIaK65/f1KsQWrHW4knXfwf/81k1sx14DVFoF953w7jKOf
N9lcOMEnWD6Oi9tF1hQ/5imW1359uL0DzOVD+OOd94fkhU+yNmH6Ag+D+YTcKUt8
pdkiYLw0vMqVAU6Qh47SJrd5p2HogcibxLPm4SCJ5efui1lEWjZ3MhrKrikc5ghv
4AuCbt16QADHXIo+xWgpULM1LR6uDYPkELSJXqL9ME16B640u5V82U8co1JdBxe7
80pXCRky5gIP7iefefqaY5UpZUmr9AhCzMzZ0H17h1F52mIyOD83ZbonNqnCcSWB
fWL/cHt7siCMvuj9OVgzHDoDrHVOCoyMJrI6jBYvTmx4kMYaycRdNdFUlcle87L6
KCGqi4Nj/NOnkJ3hnSiJdbqZhGpbBRDUqsPexWoZtrUBTtybDe8CAwEAAaMQMA4w
DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAYEAdDeWzbXO7TAtOi42HAZK
MW02hzqH1DbIghb0rmRQPpQmAEb5lxVW/Ly9M+HJEjiSqW8NZKdBBEtQYb5Uzuy0
StNIrRTDZ5u1z0B8PbY4Jh7JVaxHWOLF3PU9r26NkRIV6ze4J+J1PuPbriZ+iWyM
fU68tLee8E2Nru0FJ58ArZ+9OsREJ6ym9ic2URDqFedNncJlXhDbteiAIcxZU+JO
C5zWOGsXUvIz76azxjC1rT1R+zkB7JwoTDHYIczQu2tHjiXmNyIdw98Ykc0B4o03
2in+EqQwNli23A3MtMz2SCCoqGVyJB+kQb/DYxKqq3JEizOJ9nitxuneHoHaf/EL
wnXW6KagH+Ag60E1XKnf/T3qURmL4/gJTfHln9h68X/cYrGS/+1tjson1GFpzDGe
dBVmEA4UiiOObeKUywIWitaNazwpvjhg+2QZX3lCW8cm0d2FN5QxVBFscc7wsbim
3x6WNVCqYPZgcWzo1WDw9uhNnI5nTXIgdSwo9PyGvAVC
-----END CERTIFICATE-----',
idp_sso_target_url: 'https://login.dersllc.com/SAAS/auth/federation/sso',
issuer: 'ders-gitlab',
name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'
},
label: 'DERs Login'
}
]
- Go to vIDM administrative Console
- Go to Catalog Tab -> Web Apps
- Click the Settings Button.
- Go to the SAML Metadata Tab.
- Copy the Signing Certificate and paste it in the idp_cert section of the gitlab.rb file.
- Click the Identity Provider (IdP) metadata Link.
- Find the following location in the metadata
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://login.dersllc.com/SAAS/auth/federation/sso"/>
- Copy the Location URL: https://login.dersllc.com/SAAS/auth/federation/sso and paste it in the idp_sso_target_url section of the gitlab.rb file.
- Set the Issuer as a friendly name for your gitlab sevrer.
- set the assertion_consumer_service_url to 'https://<gitlab_URL>/users/auth/saml/callback'
- Set the label as a friendly name for the button on the sign-on page.
- Save and Exit the gitlab.rb file.
- Run the reconfigure command.
gitlab-ctl reconfigure
- After this is complete. Go back to the vIDM Administrative Console.
- Go to Catalog Tab -> Web Apps
- Click the New button.
- Create a name for the App and click next.
- make sure the Authentication Type is set to SAML 2.0
- On the gitlab server run the following to get the metadata xml for the gitlab server.
curl --insecure https://gitlab.dersllc.com/users/auth/saml/metadata
- Copy the output and paste it into the URL/XML: section of the new app form.
- Click Next and Save & Assign.
- Assign users to the App and attempt to login!