Bypassing the problem that gitlab asks for uid/pw authentication I called
/users/auth/shibboleth directly (and changed the config to protect
/users/auth/shibboleth/callback with shibboleth). This causes a different
error ("Sign-in failed because email can't be blank"). The question remains
how to configure Gitlab to use shibboleth authentication.
Am Freitag, 26. August 2016 00:13:21 UTC+2 schrieb Rainer Hörbe:
>
> I am setting up gitlab 8.11-ce with shibboleth authentication based on the
> docker
> image <https://hub.docker.com/r/gitlab/gitlab-ce/>, but get stuck in the
> uid/pw form. I am not sure how to configure this, because the
> documentation
> <http://docs.gitlab.com/ce/integration/shibboleth.html#apache-2.4-gitlab-8.6-update>
>
> seems to be outdated (gitlab-workhorse should handle all requests according
> to this
> <https://about.gitlab.com/2016/04/12/a-brief-history-of-gitlab-workhorse/>
> post).
>
> Problem:
> requesting / will redirect to users/password/edit?reset_password_token=...
> using /users/sign_in (requiring shib authn) will return back to redirect
> to users/password/edit?... after performing the SAML websso flow.
>
> My config snippets are:
>
> *gitlab.rb*
> gitlab_rails['omniauth_enabled'] = true
> gitlab_rails['omniauth_allow_single_sign_on'] = true
> gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'saml'
> gitlab_rails['omniauth_block_auto_created_users'] = false
> gitlab_rails['omniauth_providers'] = [
> { "name" => 'shibboleth',
> "args" => {
> "shib_session_id_field" => "HTTP_SHIB_SESSION_ID",
> "shib_application_id_field" => "HTTP_SHIB_APPLICATION_ID",
> "uid_field" => 'HTTP_X-PVP-USERID',
> "name_field" => 'HTTP_X-PVP-GIVENNAME' + ' ' +
> 'HTTP_X-PVP-PRINCIPALNAME',
> "info_fields" => {
> "email" => 'HTTP_X-PVP-MAIL'
> },
> "debug" => false
> }
> }
> ]
> ...
> nginx['enable'] = false
>
>
> vhost.conf
> <VirtualHost *:8080>
> UseCanonicalName Off
> ServerName https://gitlab.test.portalverbund.gv.at:443
> DocumentRoot /var/www/gitlabTestPortalverbundGvAt/html/
> #LogLevel trace6
>
> ProxyPreserveHost On
> ProxyPass /Shibboleth.sso !
> ProxyPass / http://21gitlab:8080/
> ProxyPassReverse / http://21gitlab:8080/
> RequestHeader set X_FORWARDED_PROTO 'https'
> RequestHeader set X-Forwarded-Ssl on
>
> # Ensure that encoded slashes are not decoded but left in their
> encoded state.
> # http://doc.gitlab.com/ce/api/projects.html#get-single-project
> AllowEncodedSlashes NoDecode
>
> <Location />
> Require all granted
> </Location>
>
> #<Location /users/auth/shibboleth/callback>
> <Location /users/sign_in>
> AuthType shibboleth
> ShibRequestSetting requireSession 1
> ShibUseHeaders On
> Require shib-session
> </Location>
>
> Alias /shibboleth-sp /usr/share/shibboleth
> <Location /shibboleth-sp>
> Require all granted
> </Location>
>
> <Location /Shibboleth.sso>
> SetHandler shib
> </Location>
>
> </VirtualHost>
>
> A working example configuration for gitlab >= 8.3 (in particular gitlab.rb
> and the apache vhost.conf), links to current recipes or other hits are very
> much appreciated.
>
> - Rainer
>
>
>
>
--
You received this message because you are subscribed to the Google Groups
"GitLab" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/gitlabhq/9e14d065-834d-4f5d-b219-34596e8fc561%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
