Update OmniAuth Shibboleth gem to latest to gain support

for handling multi-valued SAML assertions. Add documentation of label argument for omniauth provider to override text in login button.
author: Tom Downes <thomas.downes@ligo.org> 2018-07-03 21:38:31 -0500
committer: Tom Downes <thomas.downes@ligo.org> 2018-07-04 20:39:30 -0500
commit: 78981fe035c4876cc3e298a74ce87f755a50b67d (patch)
tree: 53b77803f10c6d38ad5d3e6e63f71f645bdff01b
parent: 116955c4533497e68abbddbace2eae0a07c98569 (diff)
download: gitlab-ce-78981fe035c4876cc3e298a74ce87f755a50b67d.tar.gz
4 files changed, 25 insertions, 12 deletions
diff --git a/Gemfile b/Gemfile
index 993c3c4b3e7..052d0d7e0d4 100644
--- a/Gemfile
+++ b/Gemfile
@@ -47,7 +47,7 @@ gem 'omniauth-google-oauth2', '~> 0.5.3'
 gem 'omniauth-kerberos', '~> 0.3.0', group: :kerberos
 gem 'omniauth-oauth2-generic', '~> 0.2.2'
 gem 'omniauth-saml', '~> 1.10'
-gem 'omniauth-shibboleth', '~> 1.2.0'
+gem 'omniauth-shibboleth', '~> 1.3.0'
 gem 'omniauth-twitter', '~> 1.4'
 gem 'omniauth_crowd', '~> 2.2.0'
 gem 'omniauth-authentiq', '~> 0.3.3'
diff --git a/Gemfile.lock b/Gemfile.lock
index d8fa52a0e55..79682559522 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -568,7 +568,7 @@ GEM
     omniauth-saml (1.10.0)
       omniauth (~> 1.3, >= 1.3.2)
       ruby-saml (~> 1.7)
-    omniauth-shibboleth (1.2.1)
+    omniauth-shibboleth (1.3.0)
       omniauth (>= 1.0.0)
     omniauth-twitter (1.4.0)
       omniauth-oauth (~> 1.1)
@@ -1101,7 +1101,7 @@ DEPENDENCIES
   omniauth-kerberos (~> 0.3.0)
   omniauth-oauth2-generic (~> 0.2.2)
   omniauth-saml (~> 1.10)
-  omniauth-shibboleth (~> 1.2.0)
+  omniauth-shibboleth (~> 1.3.0)
   omniauth-twitter (~> 1.4)
   omniauth_crowd (~> 2.2.0)
   org-ruby (~> 0.9.12)
diff --git a/Gemfile.rails5.lock b/Gemfile.rails5.lock
index 75d9db5f29a..0d153a526e7 100644
--- a/Gemfile.rails5.lock
+++ b/Gemfile.rails5.lock
@@ -572,7 +572,7 @@ GEM
     omniauth-saml (1.10.0)
       omniauth (~> 1.3, >= 1.3.2)
       ruby-saml (~> 1.7)
-    omniauth-shibboleth (1.2.1)
+    omniauth-shibboleth (1.3.0)
       omniauth (>= 1.0.0)
     omniauth-twitter (1.4.0)
       omniauth-oauth (~> 1.1)
@@ -1111,7 +1111,7 @@ DEPENDENCIES
   omniauth-kerberos (~> 0.3.0)
   omniauth-oauth2-generic (~> 0.2.2)
   omniauth-saml (~> 1.10)
-  omniauth-shibboleth (~> 1.2.0)
+  omniauth-shibboleth (~> 1.3.0)
   omniauth-twitter (~> 1.4)
   omniauth_crowd (~> 2.2.0)
   org-ruby (~> 0.9.12)
diff --git a/doc/integration/shibboleth.md b/doc/integration/shibboleth.md
index 0e43b4a39a4..41fa63ae6f2 100644
--- a/doc/integration/shibboleth.md
+++ b/doc/integration/shibboleth.md
@@ -43,7 +43,19 @@ exclude shibboleth URLs from rewriting, add "RewriteCond %{REQUEST_URI} !/Shibbo
   RequestHeader set X_FORWARDED_PROTO 'https'
 ```
 
-1.  Edit /etc/gitlab/gitlab.rb configuration file, your shibboleth attributes should be in form of "HTTP_ATTRIBUTE" and you should adjust them to your need and environment. Add any other configuration you need.
+1. Edit /etc/gitlab/gitlab.rb configuration file to enable OmniAuth and add
+Shibboleth as an OmniAuth provider. User attributes will be sent from the
+Apache reverse proxy to GitLab as headers with the names from the Shibboleth
+attribute mapping. Therefore the values of the `args` hash
+should be in the form of `"HTTP_ATTRIBUTE"`. The keys in the hash are arguments
+to the [OmniAuth::Strategies::Shibboleth class](https://github.com/toyokazu/omniauth-shibboleth/blob/master/lib/omniauth/strategies/shibboleth.rb)
+and are documented by the [omniauth-shibboleth gem](https://github.com/toyokazu/omniauth-shibboleth)
+(take care to note the version of the gem packaged with GitLab). If some of
+your users appear to be authenticated by Shibboleth and Apache, but GitLab
+rejects their account with a URI that contains "e-mail is invalid" then your
+Shibboleth Identity Provider or Attribute Authority may be asserting multiple
+e-mail addresses. In this instance, you might consider setting the
+`multi_values` argument to `first`.
 
 File should look like this:
 ```
@@ -58,14 +70,15 @@ gitlab_rails['omniauth_block_auto_created_users'] = false
 gitlab_rails['omniauth_enabled'] = true
 gitlab_rails['omniauth_providers'] = [
   {
-    "name" => 'shibboleth',
-        "args" => {
-        "shib_session_id_field" => "HTTP_SHIB_SESSION_ID",
+    "name"  => "'shibboleth"',
+    "label" => "Text for Login Button",
+    "args"  => {
+        "shib_session_id_field"     => "HTTP_SHIB_SESSION_ID",
         "shib_application_id_field" => "HTTP_SHIB_APPLICATION_ID",
-        "uid_field" => 'HTTP_EPPN',
-        "name_field" => 'HTTP_CN',
+        "uid_field"                 => 'HTTP_EPPN',
+        "name_field"                => 'HTTP_CN',
         "info_fields" => { "email" => 'HTTP_MAIL'}
-        }
+    }
   }
 ]
author	Tom Downes <thomas.downes@ligo.org>	2018-07-03 21:38:31 -0500
committer	Tom Downes <thomas.downes@ligo.org>	2018-07-04 20:39:30 -0500
commit	78981fe035c4876cc3e298a74ce87f755a50b67d (patch)
tree	53b77803f10c6d38ad5d3e6e63f71f645bdff01b
parent	116955c4533497e68abbddbace2eae0a07c98569 (diff)
download	gitlab-ce-78981fe035c4876cc3e298a74ce87f755a50b67d.tar.gz