ominauth-shibboleth configuration - gitlab keeps asking for uid/pw authn

75 views
Skip to first unread message

Rainer Hörbe

unread,
Aug 25, 2016, 6:13:21 PM8/25/16
to GitLab
I am setting up gitlab 8.11-ce with shibboleth authentication based on the docker image, but get stuck in the uid/pw form. I am not sure how to configure this, because the documentation seems to be outdated (gitlab-workhorse should handle all requests according to this post).

Problem:
requesting / will redirect to users/password/edit?reset_password_token=...
using /users/sign_in (requiring shib authn) will return back to redirect to users/password/edit?... after performing the SAML websso flow.

My config snippets are:

gitlab.rb
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = true
gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'saml'
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_providers'] = [
  { "name" => 'shibboleth',
    "args" => {
      "shib_session_id_field" => "HTTP_SHIB_SESSION_ID",
      "shib_application_id_field" => "HTTP_SHIB_APPLICATION_ID",
      "uid_field" => 'HTTP_X-PVP-USERID',
      "name_field" => 'HTTP_X-PVP-GIVENNAME' + ' ' + 'HTTP_X-PVP-PRINCIPALNAME',
      "info_fields" => {
        "email" => 'HTTP_X-PVP-MAIL'
      },
      "debug" => false
    }
  }
]
...
nginx['enable'] = false


vhost.conf
<VirtualHost *:8080>
    UseCanonicalName Off
    ServerName https://gitlab.test.portalverbund.gv.at:443
    DocumentRoot /var/www/gitlabTestPortalverbundGvAt/html/
    #LogLevel trace6

    ProxyPreserveHost On
    ProxyPass /Shibboleth.sso !
    ProxyPass / http://21gitlab:8080/
    ProxyPassReverse / http://21gitlab:8080/
    RequestHeader set X_FORWARDED_PROTO 'https'
    RequestHeader set X-Forwarded-Ssl on
 
    # Ensure that encoded slashes are not decoded but left in their encoded state.
    # http://doc.gitlab.com/ce/api/projects.html#get-single-project
    AllowEncodedSlashes NoDecode   

    <Location />
      Require all granted
    </Location>

    #<Location /users/auth/shibboleth/callback>
    <Location /users/sign_in>
      AuthType shibboleth
      ShibRequestSetting requireSession 1
      ShibUseHeaders On
      Require shib-session
    </Location>

    Alias /shibboleth-sp /usr/share/shibboleth
    <Location /shibboleth-sp>
      Require all granted
    </Location>

    <Location /Shibboleth.sso>
      SetHandler shib
    </Location>

</VirtualHost>
 

A working example configuration for gitlab >= 8.3 (in particular gitlab.rb and the apache vhost.conf), links to current recipes or other hits are very much appreciated.

- Rainer



Rainer Hörbe

unread,
Aug 26, 2016, 2:57:12 AM8/26/16
to GitLab
Bypassing the problem that gitlab asks for uid/pw authentication I called /users/auth/shibboleth directly (and changed the config to protect /users/auth/shibboleth/callback with shibboleth). This causes a different error ("Sign-in failed because email can't be blank"). The question remains how to configure Gitlab to use shibboleth authentication.
Reply all
Reply to author
Forward
0 new messages