Merge branch 'omniauth-saml-upgrade' into 'master'
Upgrade `omniauth-saml` to 1.5.0 and document it's new capabilities. With this MR I'm upgrading `omniauth-saml` to 1.5.0 to include new and improved functionality. See https://github.com/omniauth/omniauth-saml/blob/master/CHANGELOG.md for more details. This MR includes new documentation, so @axil can you also take a look? /cc @DouweM See merge request !3170
This commit is contained in:
commit
6bc7fad8ea
|
@ -9,6 +9,7 @@ v 8.6.0 (unreleased)
|
|||
- Fix issue when pushing to projects ending in .wiki
|
||||
- Fix avatar stretching by providing a cropping feature (Johann Pardanaud)
|
||||
- Don't load all of GitLab in mail_room
|
||||
- Update `omniauth-saml` to 1.5.0 to allow for custom response attributes to be set
|
||||
- Memoize @group in Admin::GroupsController (Yatish Mehta)
|
||||
- Indicate how much an MR diverged from the target branch (Pierre de La Morinerie)
|
||||
- Strip leading and trailing spaces in URL validator (evuez)
|
||||
|
|
2
Gemfile
2
Gemfile
|
@ -30,7 +30,7 @@ gem 'omniauth-github', '~> 1.1.1'
|
|||
gem 'omniauth-gitlab', '~> 1.0.0'
|
||||
gem 'omniauth-google-oauth2', '~> 0.2.0'
|
||||
gem 'omniauth-kerberos', '~> 0.3.0', group: :kerberos
|
||||
gem 'omniauth-saml', '~> 1.4.2'
|
||||
gem 'omniauth-saml', '~> 1.5.0'
|
||||
gem 'omniauth-shibboleth', '~> 1.2.0'
|
||||
gem 'omniauth-twitter', '~> 1.2.0'
|
||||
gem 'omniauth_crowd', '~> 2.2.0'
|
||||
|
|
|
@ -532,8 +532,8 @@ GEM
|
|||
omniauth-oauth2 (1.3.1)
|
||||
oauth2 (~> 1.0)
|
||||
omniauth (~> 1.2)
|
||||
omniauth-saml (1.4.2)
|
||||
omniauth (~> 1.1)
|
||||
omniauth-saml (1.5.0)
|
||||
omniauth (~> 1.3)
|
||||
ruby-saml (~> 1.1, >= 1.1.1)
|
||||
omniauth-shibboleth (1.2.1)
|
||||
omniauth (>= 1.0.0)
|
||||
|
@ -692,7 +692,7 @@ GEM
|
|||
ruby-fogbugz (0.2.1)
|
||||
crack (~> 0.4)
|
||||
ruby-progressbar (1.7.5)
|
||||
ruby-saml (1.1.1)
|
||||
ruby-saml (1.1.2)
|
||||
nokogiri (>= 1.5.10)
|
||||
uuid (~> 2.3)
|
||||
ruby2ruby (2.2.0)
|
||||
|
@ -975,7 +975,7 @@ DEPENDENCIES
|
|||
omniauth-gitlab (~> 1.0.0)
|
||||
omniauth-google-oauth2 (~> 0.2.0)
|
||||
omniauth-kerberos (~> 0.3.0)
|
||||
omniauth-saml (~> 1.4.2)
|
||||
omniauth-saml (~> 1.5.0)
|
||||
omniauth-shibboleth (~> 1.2.0)
|
||||
omniauth-twitter (~> 1.2.0)
|
||||
omniauth_crowd (~> 2.2.0)
|
||||
|
|
|
@ -131,6 +131,58 @@ On the sign in page there should now be a SAML button below the regular sign in
|
|||
Click the icon to begin the authentication process. If everything goes well the user
|
||||
will be returned to GitLab and will be signed in.
|
||||
|
||||
## Customization
|
||||
|
||||
### `attribute_statements`
|
||||
|
||||
>**Note:**
|
||||
This setting is only available on GitLab 8.6 and above.
|
||||
This setting should only be used to map attributes that are part of the
|
||||
OmniAuth info hash schema.
|
||||
|
||||
`attribute_statements` is used to map Attribute Names in a SAMLResponse to entries
|
||||
in the OmniAuth [info hash](https://github.com/intridea/omniauth/wiki/Auth-Hash-Schema#schema-10-and-later).
|
||||
|
||||
For example, if your SAMLResponse contains an Attribute called 'EmailAddress',
|
||||
specify `{ email: ['EmailAddress'] }` to map the Attribute to the
|
||||
corresponding key in the info hash. URI-named Attributes are also supported, e.g.
|
||||
`{ email: ['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'] }`.
|
||||
|
||||
This setting allows you tell GitLab where to look for certain attributes required
|
||||
to create an account. Like mentioned above, if your IdP sends the user's email
|
||||
address as `EmailAddress` instead of `email`, let GitLab know by setting it on
|
||||
your configuration:
|
||||
|
||||
```yaml
|
||||
args: {
|
||||
assertion_consumer_service_url: 'https://gitlab.example.com/users/auth/saml/callback',
|
||||
idp_cert_fingerprint: '43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8',
|
||||
idp_sso_target_url: 'https://login.example.com/idp',
|
||||
issuer: 'https://gitlab.example.com',
|
||||
name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
|
||||
attribute_statements: { email: ['EmailAddress'] }
|
||||
}
|
||||
```
|
||||
|
||||
### `allowed_clock_drift`
|
||||
|
||||
The clock of the Identity Provider may drift slightly ahead of your system clocks.
|
||||
To allow for a small amount of clock drift you can use `allowed_clock_drift` within
|
||||
your settings. Its value must be given in a number (and/or fraction) of seconds.
|
||||
The value given is added to the current time at which the response is validated.
|
||||
|
||||
```yaml
|
||||
args: {
|
||||
assertion_consumer_service_url: 'https://gitlab.example.com/users/auth/saml/callback',
|
||||
idp_cert_fingerprint: '43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8',
|
||||
idp_sso_target_url: 'https://login.example.com/idp',
|
||||
issuer: 'https://gitlab.example.com',
|
||||
name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
|
||||
attribute_statements: { email: ['EmailAddress'] },
|
||||
allowed_clock_drift: 1 # for one second clock drift
|
||||
}
|
||||
```
|
||||
|
||||
## Troubleshooting
|
||||
|
||||
### 500 error after login
|
||||
|
|
Loading…
Reference in New Issue