diff options
-rw-r--r-- | Gemfile | 2 | ||||
-rw-r--r-- | Gemfile.lock | 4 | ||||
-rw-r--r-- | Gemfile.rails5.lock | 4 | ||||
-rw-r--r-- | doc/integration/shibboleth.md | 27 |
4 files changed, 25 insertions, 12 deletions
@@ -47,7 +47,7 @@ gem 'omniauth-google-oauth2', '~> 0.5.3' gem 'omniauth-kerberos', '~> 0.3.0', group: :kerberos gem 'omniauth-oauth2-generic', '~> 0.2.2' gem 'omniauth-saml', '~> 1.10' -gem 'omniauth-shibboleth', '~> 1.2.0' +gem 'omniauth-shibboleth', '~> 1.3.0' gem 'omniauth-twitter', '~> 1.4' gem 'omniauth_crowd', '~> 2.2.0' gem 'omniauth-authentiq', '~> 0.3.3' diff --git a/Gemfile.lock b/Gemfile.lock index d8fa52a0e55..79682559522 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -568,7 +568,7 @@ GEM omniauth-saml (1.10.0) omniauth (~> 1.3, >= 1.3.2) ruby-saml (~> 1.7) - omniauth-shibboleth (1.2.1) + omniauth-shibboleth (1.3.0) omniauth (>= 1.0.0) omniauth-twitter (1.4.0) omniauth-oauth (~> 1.1) @@ -1101,7 +1101,7 @@ DEPENDENCIES omniauth-kerberos (~> 0.3.0) omniauth-oauth2-generic (~> 0.2.2) omniauth-saml (~> 1.10) - omniauth-shibboleth (~> 1.2.0) + omniauth-shibboleth (~> 1.3.0) omniauth-twitter (~> 1.4) omniauth_crowd (~> 2.2.0) org-ruby (~> 0.9.12) diff --git a/Gemfile.rails5.lock b/Gemfile.rails5.lock index 75d9db5f29a..0d153a526e7 100644 --- a/Gemfile.rails5.lock +++ b/Gemfile.rails5.lock @@ -572,7 +572,7 @@ GEM omniauth-saml (1.10.0) omniauth (~> 1.3, >= 1.3.2) ruby-saml (~> 1.7) - omniauth-shibboleth (1.2.1) + omniauth-shibboleth (1.3.0) omniauth (>= 1.0.0) omniauth-twitter (1.4.0) omniauth-oauth (~> 1.1) @@ -1111,7 +1111,7 @@ DEPENDENCIES omniauth-kerberos (~> 0.3.0) omniauth-oauth2-generic (~> 0.2.2) omniauth-saml (~> 1.10) - omniauth-shibboleth (~> 1.2.0) + omniauth-shibboleth (~> 1.3.0) omniauth-twitter (~> 1.4) omniauth_crowd (~> 2.2.0) org-ruby (~> 0.9.12) diff --git a/doc/integration/shibboleth.md b/doc/integration/shibboleth.md index 0e43b4a39a4..41fa63ae6f2 100644 --- a/doc/integration/shibboleth.md +++ b/doc/integration/shibboleth.md @@ -43,7 +43,19 @@ exclude shibboleth URLs from rewriting, add "RewriteCond %{REQUEST_URI} !/Shibbo RequestHeader set X_FORWARDED_PROTO 'https' ``` -1. Edit /etc/gitlab/gitlab.rb configuration file, your shibboleth attributes should be in form of "HTTP_ATTRIBUTE" and you should adjust them to your need and environment. Add any other configuration you need. +1. Edit /etc/gitlab/gitlab.rb configuration file to enable OmniAuth and add +Shibboleth as an OmniAuth provider. User attributes will be sent from the +Apache reverse proxy to GitLab as headers with the names from the Shibboleth +attribute mapping. Therefore the values of the `args` hash +should be in the form of `"HTTP_ATTRIBUTE"`. The keys in the hash are arguments +to the [OmniAuth::Strategies::Shibboleth class](https://github.com/toyokazu/omniauth-shibboleth/blob/master/lib/omniauth/strategies/shibboleth.rb) +and are documented by the [omniauth-shibboleth gem](https://github.com/toyokazu/omniauth-shibboleth) +(take care to note the version of the gem packaged with GitLab). If some of +your users appear to be authenticated by Shibboleth and Apache, but GitLab +rejects their account with a URI that contains "e-mail is invalid" then your +Shibboleth Identity Provider or Attribute Authority may be asserting multiple +e-mail addresses. In this instance, you might consider setting the +`multi_values` argument to `first`. File should look like this: ``` @@ -58,14 +70,15 @@ gitlab_rails['omniauth_block_auto_created_users'] = false gitlab_rails['omniauth_enabled'] = true gitlab_rails['omniauth_providers'] = [ { - "name" => 'shibboleth', - "args" => { - "shib_session_id_field" => "HTTP_SHIB_SESSION_ID", + "name" => "'shibboleth"', + "label" => "Text for Login Button", + "args" => { + "shib_session_id_field" => "HTTP_SHIB_SESSION_ID", "shib_application_id_field" => "HTTP_SHIB_APPLICATION_ID", - "uid_field" => 'HTTP_EPPN', - "name_field" => 'HTTP_CN', + "uid_field" => 'HTTP_EPPN', + "name_field" => 'HTTP_CN', "info_fields" => { "email" => 'HTTP_MAIL'} - } + } } ] |