I am setting up gitlab 8.11-ce with shibboleth authentication based on the
docker
image <https://hub.docker.com/r/gitlab/gitlab-ce/>, but get stuck in the
uid/pw form. I am not sure how to configure this, because the documentation
<http://docs.gitlab.com/ce/integration/shibboleth.html#apache-2.4-gitlab-8.6-update>
seems to be outdated (gitlab-workhorse should handle all requests according
to this
<https://about.gitlab.com/2016/04/12/a-brief-history-of-gitlab-workhorse/>
post).
Problem:
requesting / will redirect to users/password/edit?reset_password_token=...
using /users/sign_in (requiring shib authn) will return back to redirect to
users/password/edit?... after performing the SAML websso flow.
My config snippets are:
*gitlab.rb*
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = true
gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'saml'
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_providers'] = [
{ "name" => 'shibboleth',
"args" => {
"shib_session_id_field" => "HTTP_SHIB_SESSION_ID",
"shib_application_id_field" => "HTTP_SHIB_APPLICATION_ID",
"uid_field" => 'HTTP_X-PVP-USERID',
"name_field" => 'HTTP_X-PVP-GIVENNAME' + ' ' +
'HTTP_X-PVP-PRINCIPALNAME',
"info_fields" => {
"email" => 'HTTP_X-PVP-MAIL'
},
"debug" => false
}
}
]
...
nginx['enable'] = false
vhost.conf
<VirtualHost *:8080>
UseCanonicalName Off
ServerName https://gitlab.test.portalverbund.gv.at:443
DocumentRoot /var/www/gitlabTestPortalverbundGvAt/html/
#LogLevel trace6
ProxyPreserveHost On
ProxyPass /Shibboleth.sso !
ProxyPass / http://21gitlab:8080/
ProxyPassReverse / http://21gitlab:8080/
RequestHeader set X_FORWARDED_PROTO 'https'
RequestHeader set X-Forwarded-Ssl on
# Ensure that encoded slashes are not decoded but left in their encoded
state.
# http://doc.gitlab.com/ce/api/projects.html#get-single-project
AllowEncodedSlashes NoDecode
<Location />
Require all granted
</Location>
#<Location /users/auth/shibboleth/callback>
<Location /users/sign_in>
AuthType shibboleth
ShibRequestSetting requireSession 1
ShibUseHeaders On
Require shib-session
</Location>
Alias /shibboleth-sp /usr/share/shibboleth
<Location /shibboleth-sp>
Require all granted
</Location>
<Location /Shibboleth.sso>
SetHandler shib
</Location>
</VirtualHost>
A working example configuration for gitlab >= 8.3 (in particular gitlab.rb
and the apache vhost.conf), links to current recipes or other hits are very
much appreciated.
- Rainer
--
You received this message because you are subscribed to the Google Groups
"GitLab" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to gitlabhq+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/gitlabhq/23aac93f-c5de-46c6-81f8-1bc66e9b1c11%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
