kotovalexarian-likes-gitlab
/
gitlab-org--gitlab-foss
1
0
Fork 0
Code Releases Activity
gitlab-org--gitlab-foss/doc/integration/shibboleth.md

125 lines
4.3 KiB
Markdown
Raw Normal View History

added omniauth-shibboleth gem for shibboleth support added documentation for shibboleth omniauth provider updated changelog
2014-08-28 08:57:30 +00:00
# Shibboleth OmniAuth Provider
Never heard of gitlab-omnibus
2016-01-12 13:47:55 +00:00
This documentation is for enabling shibboleth with omnibus-gitlab package.
added omniauth-shibboleth gem for shibboleth support added documentation for shibboleth omniauth provider updated changelog
2014-08-28 08:57:30 +00:00
NIGNX -> Nginx This shouldn't be in all caps, and it should be spelled correctly!
2016-12-05 14:37:44 +00:00
In order to enable Shibboleth support in gitlab we need to use Apache instead of Nginx (It may be possible to use Nginx, however this is difficult to configure using the bundled Nginx provided in the omnibus-gitlab package). Apache uses mod_shib2 module for shibboleth authentication and can pass attributes as headers to omniauth-shibboleth provider.
added omniauth-shibboleth gem for shibboleth support added documentation for shibboleth omniauth provider updated changelog
2014-08-28 08:57:30 +00:00
To enable the Shibboleth OmniAuth provider you must:
Update oauth documenatation with examples for omnibus package and installations from source.
2015-02-13 22:49:19 +00:00
1. Configure Apache shibboleth module. Installation and configuration of module it self is out of scope of this document.
added omniauth-shibboleth gem for shibboleth support added documentation for shibboleth omniauth provider updated changelog
2014-08-28 08:57:30 +00:00
Check https://wiki.shibboleth.net/ for more info.
Use GitLab.com link, remove GitHub link
2016-11-11 06:30:33 +00:00
1. You can find Apache config in gitlab-recipes (https://gitlab.com/gitlab-org/gitlab-recipes/tree/master/web-server/apache)
added omniauth-shibboleth gem for shibboleth support added documentation for shibboleth omniauth provider updated changelog
2014-08-28 08:57:30 +00:00
Following changes are needed to enable shibboleth:
Make all non-config/non-operational mentions of URL consistently capitalized. Make the plural version consistently "URLs". Fix an instance where the article "the" before URL was missing.
2015-01-30 18:24:45 +00:00
protect omniauth-shibboleth callback URL:
added omniauth-shibboleth gem for shibboleth support added documentation for shibboleth omniauth provider updated changelog
2014-08-28 08:57:30 +00:00
```
<Location /users/auth/shibboleth/callback>
AuthType shibboleth
ShibRequestSetting requireSession 1
ShibUseHeaders On
require valid-user
</Location>
Alias /shibboleth-sp /usr/share/shibboleth
<Location /shibboleth-sp>
Satisfy any
</Location>
<Location /Shibboleth.sso>
SetHandler shib
</Location>
```
Make all non-config/non-operational mentions of URL consistently capitalized. Make the plural version consistently "URLs". Fix an instance where the article "the" before URL was missing.
2015-01-30 18:24:45 +00:00
exclude shibboleth URLs from rewriting, add "RewriteCond %{REQUEST_URI} !/Shibboleth.sso" and "RewriteCond %{REQUEST_URI} !/shibboleth-sp", config should look like this:
added omniauth-shibboleth gem for shibboleth support added documentation for shibboleth omniauth provider updated changelog
2014-08-28 08:57:30 +00:00
```
Fix a number of discovered typos, capitalization of developer and product names, plus a couple of instances of bad Markdown markup.
2015-02-03 23:18:40 +00:00
# Apache equivalent of Nginx try files
added omniauth-shibboleth gem for shibboleth support added documentation for shibboleth omniauth provider updated changelog
2014-08-28 08:57:30 +00:00
RewriteEngine on
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
Update oauth documenatation with examples for omnibus package and installations from source.
2015-02-13 22:49:19 +00:00
RewriteCond %{REQUEST_URI} !/Shibboleth.sso
RewriteCond %{REQUEST_URI} !/shibboleth-sp
added omniauth-shibboleth gem for shibboleth support added documentation for shibboleth omniauth provider updated changelog
2014-08-28 08:57:30 +00:00
RewriteRule .* http://127.0.0.1:8080%{REQUEST_URI} [P,QSA]
RequestHeader set X_FORWARDED_PROTO 'https'
```
Update oauth documenatation with examples for omnibus package and installations from source.
2015-02-13 22:49:19 +00:00
1. Edit /etc/gitlab/gitlab.rb configuration file, your shibboleth attributes should be in form of "HTTP_ATTRIBUTE" and you should addjust them to your need and environment. Add any other configuration you need.
added omniauth-shibboleth gem for shibboleth support added documentation for shibboleth omniauth provider updated changelog
2014-08-28 08:57:30 +00:00
Update oauth documenatation with examples for omnibus package and installations from source.
2015-02-13 22:49:19 +00:00
File should look like this:
added omniauth-shibboleth gem for shibboleth support added documentation for shibboleth omniauth provider updated changelog
2014-08-28 08:57:30 +00:00
```
external_url 'https://gitlab.example.com'
gitlab_rails['internal_api_url'] = 'https://gitlab.example.com'
Fix a number of discovered typos, capitalization of developer and product names, plus a couple of instances of bad Markdown markup.
2015-02-03 23:18:40 +00:00
# disable Nginx
added omniauth-shibboleth gem for shibboleth support added documentation for shibboleth omniauth provider updated changelog
2014-08-28 08:57:30 +00:00
nginx['enable'] = false
gitlab_rails['omniauth_allow_single_sign_on'] = true
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_providers'] = [
{
"name" => 'shibboleth',
"args" => {
"shib_session_id_field" => "HTTP_SHIB_SESSION_ID",
"shib_application_id_field" => "HTTP_SHIB_APPLICATION_ID",
"uid_field" => 'HTTP_EPPN',
"name_field" => 'HTTP_CN',
"info_fields" => { "email" => 'HTTP_MAIL'}
}
}
]
```
Update oauth documenatation with examples for omnibus package and installations from source.
2015-02-13 22:49:19 +00:00
1. Save changes and reconfigure gitlab:
added omniauth-shibboleth gem for shibboleth support added documentation for shibboleth omniauth provider updated changelog
2014-08-28 08:57:30 +00:00
```
sudo gitlab-ctl reconfigure
```
On the sign in page there should now be a "Sign in with: Shibboleth" icon below the regular sign in form. Click the icon to begin the authentication process. You will be redirected to IdP server (Depends on your Shibboleth module configuration). If everything goes well the user will be returned to GitLab and will be signed in.
Update shibboleth configuration for GitLab 8.6 and Apache 2.4
2016-04-14 01:03:50 +00:00
## Apache 2.4 / GitLab 8.6 update
The order of the first 2 Location directives is important. If they are reversed,
you will not get a shibboleth session!
```
<Location />
Require all granted
ProxyPassReverse http://127.0.0.1:8181
ProxyPassReverse http://YOUR_SERVER_FQDN/
</Location>
<Location /users/auth/shibboleth/callback>
AuthType shibboleth
ShibRequestSetting requireSession 1
ShibUseHeaders On
Require shib-session
</Location>
Alias /shibboleth-sp /usr/share/shibboleth
<Location /shibboleth-sp>
Require all granted
</Location>
<Location /Shibboleth.sso>
SetHandler shib
</Location>
RewriteEngine on
#Don't escape encoded characters in api requests
RewriteCond %{REQUEST_URI} ^/api/v3/.*
RewriteCond %{REQUEST_URI} !/Shibboleth.sso
RewriteCond %{REQUEST_URI} !/shibboleth-sp
RewriteRule .* http://127.0.0.1:8181%{REQUEST_URI} [P,QSA,NE]
#Forward all requests to gitlab-workhorse except existing files
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f [OR]
RewriteCond %{REQUEST_URI} ^/uploads/.*
RewriteCond %{REQUEST_URI} !/Shibboleth.sso
RewriteCond %{REQUEST_URI} !/shibboleth-sp
RewriteRule .* http://127.0.0.1:8181%{REQUEST_URI} [P,QSA]
RequestHeader set X_FORWARDED_PROTO 'https'
RequestHeader set X-Forwarded-Ssl on
```