I am setting up gitlab 8.11-ce with shibboleth authentication based on the
docker image, but get stuck in the uid/pw form. I am not sure how to configure this, because the
documentation seems to be outdated (gitlab-workhorse should handle all requests according to
this post).
Problem:
requesting / will redirect to users/password/edit?reset_password_token=...
using /users/sign_in (requiring shib authn) will return back to redirect to users/password/edit?... after performing the SAML websso flow.
My config snippets are:
gitlab.rbgitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = true
gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'saml'
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_providers'] = [
{ "name" => 'shibboleth',
"args" => {
"shib_session_id_field" => "HTTP_SHIB_SESSION_ID",
"shib_application_id_field" => "HTTP_SHIB_APPLICATION_ID",
"uid_field" => 'HTTP_X-PVP-USERID',
"name_field" => 'HTTP_X-PVP-GIVENNAME' + ' ' + 'HTTP_X-PVP-PRINCIPALNAME',
"info_fields" => {
"email" => 'HTTP_X-PVP-MAIL'
},
"debug" => false
}
}
]
...
nginx['enable'] = false
vhost.conf
<VirtualHost *:8080>
UseCanonicalName Off
ServerName https://gitlab.test.portalverbund.gv.at:443
DocumentRoot /var/www/gitlabTestPortalverbundGvAt/html/
#LogLevel trace6
ProxyPreserveHost On
ProxyPass /Shibboleth.sso !
ProxyPass / http://21gitlab:8080/
ProxyPassReverse / http://21gitlab:8080/
RequestHeader set X_FORWARDED_PROTO 'https'
RequestHeader set X-Forwarded-Ssl on
# Ensure that encoded slashes are not decoded but left in their encoded state.
# http://doc.gitlab.com/ce/api/projects.html#get-single-project
AllowEncodedSlashes NoDecode
<Location />
Require all granted
</Location>
#<Location /users/auth/shibboleth/callback>
<Location /users/sign_in>
AuthType shibboleth
ShibRequestSetting requireSession 1
ShibUseHeaders On
Require shib-session
</Location>
Alias /shibboleth-sp /usr/share/shibboleth
<Location /shibboleth-sp>
Require all granted
</Location>
<Location /Shibboleth.sso>
SetHandler shib
</Location>
</VirtualHost>
A working example configuration for gitlab >= 8.3 (in particular gitlab.rb and the apache vhost.conf), links to current recipes or other hits are very much appreciated.
- Rainer