Assistance Needed for Integrating Okta SSO SAML with Gerrit 3.8.6

47 views
Skip to first unread message

Rohan Tom

unread,
Sep 5, 2024, 10:49:38 AM9/5/24
to Repo and Gerrit Discussion
Hi All,

I hope you're doing well. I'm currently working on integrating Okta SSO with Gerrit 3.8.6 and could use some guidance.  


We're now able to log in via Okta saml sso and land back on the homepage successfully.

However, I've encountered an issue. From what I understand, gerrit.config only supports one authentication method, which is currently set to SAML-based authentication. Here's the situation:

  • After logging in as the first user, that user became the admin as expected.
  • When setting up a new repository, I logged into the server and attempted to run the git fetch command via Git Bash.
  • Gerrit prompted me for a username and password, but entering the credentials resulted in an "unauthorized user" fatal: Authentication failed error.
  • Previously, We are using LDAP and we are able to do the git clone with username and password

Given that we are using SAML SSO for authentication, how does the username and password authentication work in this context? Is there a way to enable SSO-based authentication for operations like git clone or git fetch?

Error log-  [2024-08-29T15:39:04.918Z] [HTTP-107] WARN  com.google.gerrit.httpd.ProjectBasicAuthFilter : Authentication from 127.0.0.1 failed for  te...@gmail.com: password does not match the one stored in Gerrit

I would appreciate your guidance on how to configure this or if there's an alternative approach to handle Git operations under SSO authentication.

Best regards,
Rohan Tom

Matthias Sohn

unread,
Sep 5, 2024, 12:33:10 PM9/5/24
to Rohan Tom, Repo and Gerrit Discussion
On Thu, Sep 5, 2024 at 12:49 PM Rohan Tom <rohan...@gmail.com> wrote:
Hi All,

I hope you're doing well. I'm currently working on integrating Okta SSO with Gerrit 3.8.6 and could use some guidance.  


We're now able to log in via Okta saml sso and land back on the homepage successfully.

However, I've encountered an issue. From what I understand, gerrit.config only supports one authentication method, which is currently set to SAML-based authentication. Here's the situation:

  • After logging in as the first user, that user became the admin as expected.
  • When setting up a new repository, I logged into the server and attempted to run the git fetch command via Git Bash.
  • Gerrit prompted me for a username and password, but entering the credentials resulted in an "unauthorized user" fatal: Authentication failed error.
  • Previously, We are using LDAP and we are able to do the git clone with username and password

Given that we are using SAML SSO for authentication, how does the username and password authentication work in this context? Is there a way to enable SSO-based authentication for operations like git clone or git fetch?

AFAIK git doesn't support SAML authentication. 

Error log-  [2024-08-29T15:39:04.918Z] [HTTP-107] WARN  com.google.gerrit.httpd.ProjectBasicAuthFilter : Authentication from 127.0.0.1 failed for  te...@gmail.com: password does not match the one stored in Gerrit

I would appreciate your guidance on how to configure this or if there's an alternative approach to handle Git operations under SSO authentication.

Visit your user settings and generate a HTTP password at
https://gerrit.host/settings/#HTTPCredentials
This can be used for git commands and requests to the REST API using basic authentication.
Note that you need to prefix the resource path in the URL with /a,
see https://gerrit-review.googlesource.com/Documentation/rest-api.html#authentication
-Matthias



Best regards,
Rohan Tom

--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/79582594-b9d0-4f6f-96d8-4f89dd31f91cn%40googlegroups.com.

Nasser Grainawi

unread,
Sep 5, 2024, 4:09:49 PM9/5/24
to Matthias Sohn, Rohan Tom, Repo and Gerrit Discussion
On Thu, Sep 5, 2024 at 6:33 AM Matthias Sohn <matthi...@gmail.com> wrote:
On Thu, Sep 5, 2024 at 12:49 PM Rohan Tom <rohan...@gmail.com> wrote:
Hi All,

I hope you're doing well. I'm currently working on integrating Okta SSO with Gerrit 3.8.6 and could use some guidance.  


We're now able to log in via Okta saml sso and land back on the homepage successfully.

However, I've encountered an issue. From what I understand, gerrit.config only supports one authentication method, which is currently set to SAML-based authentication. Here's the situation:

  • After logging in as the first user, that user became the admin as expected.
  • When setting up a new repository, I logged into the server and attempted to run the git fetch command via Git Bash.
  • Gerrit prompted me for a username and password, but entering the credentials resulted in an "unauthorized user" fatal: Authentication failed error.
  • Previously, We are using LDAP and we are able to do the git clone with username and password

Given that we are using SAML SSO for authentication, how does the username and password authentication work in this context? Is there a way to enable SSO-based authentication for operations like git clone or git fetch?

AFAIK git doesn't support SAML authentication. 

It doesn't work natively, however IIUC, you can use solutions like https://github.com/git-ecosystem/git-credential-manager to make it work, but I haven't tried that myself.
 
Reply all
Reply to author
Forward
0 new messages