Style updates.
This commit is contained in:
parent
265d45c4eb
commit
3f70c8f2db
|
@ -41,11 +41,13 @@ that are in common for all providers that we need to consider.
|
||||||
- `block_auto_created_users` defaults to `true`. If `true` auto created users will
|
- `block_auto_created_users` defaults to `true`. If `true` auto created users will
|
||||||
be blocked by default and will have to be unblocked by an administrator before
|
be blocked by default and will have to be unblocked by an administrator before
|
||||||
they are able to sign in.
|
they are able to sign in.
|
||||||
- **Note:** If you set `block_auto_created_users` to `false`, make sure to only
|
|
||||||
define providers under `allow_single_sign_on` that you are able to control, like
|
>**Note:**
|
||||||
SAML, Shibboleth, Crowd or Google, or set it to `false` otherwise any user on
|
If you set `block_auto_created_users` to `false`, make sure to only
|
||||||
the Internet will be able to successfully sign in to your GitLab without
|
define providers under `allow_single_sign_on` that you are able to control, like
|
||||||
administrative approval.
|
SAML, Shibboleth, Crowd or Google, or set it to `false` otherwise any user on
|
||||||
|
the Internet will be able to successfully sign in to your GitLab without
|
||||||
|
administrative approval.
|
||||||
|
|
||||||
To change these settings:
|
To change these settings:
|
||||||
|
|
||||||
|
@ -57,11 +59,16 @@ To change these settings:
|
||||||
sudo editor /etc/gitlab/gitlab.rb
|
sudo editor /etc/gitlab/gitlab.rb
|
||||||
```
|
```
|
||||||
|
|
||||||
and change
|
and change:
|
||||||
|
|
||||||
```ruby
|
```ruby
|
||||||
gitlab_rails['omniauth_enabled'] = true
|
gitlab_rails['omniauth_enabled'] = true
|
||||||
gitlab_rails['omniauth_allow_single_sign_on'] = ['saml', 'twitter'] # add providers that should be allowed to auto create accounts
|
|
||||||
|
# CAUTION!
|
||||||
|
# This allows users to login without having a user account first. Define the allowed providers
|
||||||
|
# using an array, e.g. ["saml", "twitter"], or as true/false to allow all providers or none.
|
||||||
|
# User accounts will be created automatically when authentication was successful.
|
||||||
|
gitlab_rails['omniauth_allow_single_sign_on'] = ['saml', 'twitter']
|
||||||
gitlab_rails['omniauth_block_auto_created_users'] = true
|
gitlab_rails['omniauth_block_auto_created_users'] = true
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -75,7 +82,7 @@ To change these settings:
|
||||||
sudo -u git -H editor config/gitlab.yml
|
sudo -u git -H editor config/gitlab.yml
|
||||||
```
|
```
|
||||||
|
|
||||||
and change the following section
|
and change the following section:
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
## OmniAuth settings
|
## OmniAuth settings
|
||||||
|
@ -99,7 +106,7 @@ the configuration process.
|
||||||
## Enable OmniAuth for an Existing User
|
## Enable OmniAuth for an Existing User
|
||||||
|
|
||||||
Existing users can enable OmniAuth for specific providers after the account is
|
Existing users can enable OmniAuth for specific providers after the account is
|
||||||
created. For example, if the user originally signed in with LDAP an OmniAuth
|
created. For example, if the user originally signed in with LDAP, an OmniAuth
|
||||||
provider such as Twitter can be enabled. Follow the steps below to enable an
|
provider such as Twitter can be enabled. Follow the steps below to enable an
|
||||||
OmniAuth provider for an existing user.
|
OmniAuth provider for an existing user.
|
||||||
|
|
||||||
|
@ -112,7 +119,10 @@ OmniAuth provider for an existing user.
|
||||||
|
|
||||||
The chosen OmniAuth provider is now active and can be used to sign in to GitLab from then on.
|
The chosen OmniAuth provider is now active and can be used to sign in to GitLab from then on.
|
||||||
|
|
||||||
## Using Custom Omniauth Providers (only works on installations from source)
|
## Using Custom Omniauth Providers
|
||||||
|
|
||||||
|
>**Note:**
|
||||||
|
The following information only applies for installations from source.
|
||||||
|
|
||||||
GitLab uses [Omniauth](http://www.omniauth.org/) for authentication and already ships
|
GitLab uses [Omniauth](http://www.omniauth.org/) for authentication and already ships
|
||||||
with a few providers pre-installed (e.g. LDAP, GitHub, Twitter). But sometimes that
|
with a few providers pre-installed (e.g. LDAP, GitHub, Twitter). But sometimes that
|
||||||
|
|
|
@ -97,33 +97,33 @@ in your SAML IdP:
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
1. Change the value for 'assertion_consumer_service_url' to match the HTTPS endpoint
|
1. Change the value for `assertion_consumer_service_url` to match the HTTPS endpoint
|
||||||
of GitLab (append 'users/auth/saml/callback' to the HTTPS URL of your GitLab
|
of GitLab (append `users/auth/saml/callback` to the HTTPS URL of your GitLab
|
||||||
installation to generate the correct value).
|
installation to generate the correct value).
|
||||||
|
|
||||||
1. Change the values of 'idp_cert_fingerprint', 'idp_sso_target_url',
|
1. Change the values of `idp_cert_fingerprint`, `idp_sso_target_url`,
|
||||||
'name_identifier_format' to match your IdP. Check
|
`name_identifier_format` to match your IdP. Check
|
||||||
[the omniauth-saml documentation](https://github.com/omniauth/omniauth-saml)
|
[the omniauth-saml documentation](https://github.com/omniauth/omniauth-saml)
|
||||||
for details on these options.
|
for details on these options.
|
||||||
|
|
||||||
1. Change the value of 'issuer' to a unique name, which will identify the application
|
1. Change the value of `issuer` to a unique name, which will identify the application
|
||||||
to the IdP.
|
to the IdP.
|
||||||
|
|
||||||
1. Restart GitLab for the changes to take effect.
|
1. Restart GitLab for the changes to take effect.
|
||||||
|
|
||||||
1. Register the GitLab SP in your SAML 2.0 IdP, using the application name specified
|
1. Register the GitLab SP in your SAML 2.0 IdP, using the application name specified
|
||||||
in 'issuer'.
|
in `issuer`.
|
||||||
|
|
||||||
To ease configuration, most IdP accept a metadata URL for the application to provide
|
To ease configuration, most IdP accept a metadata URL for the application to provide
|
||||||
configuration information to the IdP. To build the metadata URL for GitLab, append
|
configuration information to the IdP. To build the metadata URL for GitLab, append
|
||||||
'users/auth/saml/metadata' to the HTTPS URL of your GitLab installation, for instance:
|
`users/auth/saml/metadata` to the HTTPS URL of your GitLab installation, for instance:
|
||||||
```
|
```
|
||||||
https://gitlab.example.com/users/auth/saml/metadata
|
https://gitlab.example.com/users/auth/saml/metadata
|
||||||
```
|
```
|
||||||
|
|
||||||
At a minimum the IdP *must* provide a claim containing the user's email address, using
|
At a minimum the IdP *must* provide a claim containing the user's email address, using
|
||||||
claim name 'email' or 'mail'. The email will be used to automatically generate the GitLab
|
claim name `email` or `mail`. The email will be used to automatically generate the GitLab
|
||||||
username. GitLab will also use claims with name 'name', 'first_name', 'last_name'
|
username. GitLab will also use claims with name `name`, `first_name`, `last_name`
|
||||||
(see [the omniauth-saml gem](https://github.com/omniauth/omniauth-saml/blob/master/lib/omniauth/strategies/saml.rb)
|
(see [the omniauth-saml gem](https://github.com/omniauth/omniauth-saml/blob/master/lib/omniauth/strategies/saml.rb)
|
||||||
for supported claims).
|
for supported claims).
|
||||||
|
|
||||||
|
@ -137,7 +137,7 @@ If you see a "500 error" in GitLab when you are redirected back from the SAML si
|
||||||
this likely indicates that GitLab could not get the email address for the SAML user.
|
this likely indicates that GitLab could not get the email address for the SAML user.
|
||||||
|
|
||||||
Make sure the IdP provides a claim containing the user's email address, using claim name
|
Make sure the IdP provides a claim containing the user's email address, using claim name
|
||||||
'email' or 'mail'. The email will be used to automatically generate the GitLab username.
|
`email` or `mail`.
|
||||||
|
|
||||||
If after signing in into your SAML server you are redirected back to the sign in page and
|
If after signing in into your SAML server you are redirected back to the sign in page and
|
||||||
no error is displayed, check your `production.log` file. It will most likely contain the
|
no error is displayed, check your `production.log` file. It will most likely contain the
|
||||||
|
|
Loading…
Reference in New Issue