27.15.1 Configuring GitLab for Advanced Authentication

GitLab can be configured to act as a SAML 2.0 Service Provider (SP). This allows GitLab to consume assertions from a SAML 2.0 Identity Provider (which is Advanced Authentication here).

First configure SAML 2.0 support in GitLab, then register the GitLab application in the Identity Provider (IdP).

On your GitLab server, perform the following steps:

  1. In the vi /etc/gitlab/gitlab.rb file, perform the following steps:

  2. To allow users to use SAML to sign up without having to manually create an account first, add the following values to your configuration for omnibus package:

    gitlab_rails['omniauth_enabled'] = true

    gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']

    gitlab_rails['omniauth_block_auto_created_users'] = false

  3. You can automatically link SAML users with existing GitLab users if their email addresses match by adding the following setting:

    gitlab_rails['omniauth_auto_link_saml_user'] = true

  4. Add the provider configuration:

     gitlab_rails['omniauth_providers'] = [
 {
    name: 'saml',
args:{
 assertion_consumer_service_url: 'https://<gitlabserver address>/users/auth/saml/callback',
             idp_cert_fingerprint: 'A3:8D:36:9E:9C:B7:31:0E:14:26:A5:10:68:73:07:A7:CA:7C:9E:BB',
             idp_sso_target_url: 'https://<adfs-serveraddress>/adfs/ls/',
             idp_slo_target_url: 'https://<adfs-serveraddress>/adfs/ls/',
             issuer: 'https://<gitlab_serveraddress>',
             name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
             attribute_statements: {
                username: ['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn'],
                email: ['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'],
                name: ['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'],
                first_name: ['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname'],
                last_name: ['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname'],
             }
           }

  5. Change the value for assertion_consumer_service_url to match the HTTPS endpoint of GitLab (append users/auth/saml/callback to the HTTPS URL of your GitLab installation to generate the correct value).

  6. Change the values of idp_cert_fingerprint, idp_sso_target_url, name_identifier_format to match your IdP. If a fingerprint is used, it must be a SHA1 fingerprint. For more information, see the omniauth-saml documentation.

  7. Change the value of issuer to a unique name, which will identify the application to the IdP. Ensure to configure the issuer with the GitLab server address.

  8. For the changes to take effect, you must reconfigure GitLab if you installed through Omnibus.

  9. Register the GitLab SP in the IdP(Advanced Authentication). For more information, see Configuring the SAML 2.0 Event on Advanced Authentication.