2 files changed, 124 insertions, 0 deletions

diff --git a/doc/integration/omniauth.md b/doc/integration/omniauth.md
index 1b0bf9c5f64..00adae58dfa 100644
--- a/doc/integration/omniauth.md
+++ b/doc/integration/omniauth.md
@@ -50,6 +50,13 @@ Before configuring individual OmniAuth providers there are a few global settings
         # - { name: 'github', app_id: 'YOUR APP ID',
         #     app_secret: 'YOUR APP SECRET',
         #     args: { scope: 'user:email' } }
+        # - {"name": 'shibboleth',
+        #     args: { shib_session_id_field: "HTTP_SHIB_SESSION_ID",
+        #     shib_application_id_field: "HTTP_SHIB_APPLICATION_ID",
+        #     uid_field: "HTTP_EPPN",
+        #     name_field: "HTTP_CN",
+        #     info_fields: {"email": "HTTP_MAIL" } } }
+
     ```
 
 1.  Change `enabled` to `true`.
@@ -69,6 +76,7 @@ Before configuring individual OmniAuth providers there are a few global settings
 
 - [GitHub](github.md)
 - [Google](google.md)
+- [Shibboleth](shibboleth.md)
 - [Twitter](twitter.md)
 
 ## Enable OmniAuth for an Existing User
@@ -82,3 +90,41 @@ Existing users can enable OmniAuth for specific providers after the account is c
 1. The user will be redirected to the provider. Once the user authorized GitLab they will be redirected back to GitLab.
 
 The chosen OmniAuth provider is now active and can be used to sign in to GitLab from then on.
+
+## Using Custom Omniauth Providers
+
+GitLab uses [Omniauth](http://www.omniauth.org/) for authentication and already ships with a few providers preinstalled (e.g. LDAP, GitHub, Twitter). But sometimes that is not enough and you need to integrate with other authentication solutions. For these cases you can use the Omniauth provider.
+
+### Steps
+
+These steps are fairly general and you will need to figure out the exact details from the Omniauth provider's documentation.
+
+-   Stop GitLab:
+
+        sudo service gitlab stop
+
+-   Add the gem to your [Gemfile](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/Gemfile):
+
+        gem "omniauth-your-auth-provider"
+
+-   If you're using MySQL, install the new Omniauth provider gem by running the following command:
+
+        sudo -u git -H bundle install --without development test postgres --path vendor/bundle --no-deployment
+
+-   If you're using PostgreSQL, install the new Omniauth provider gem by running the following command:
+
+        sudo -u git -H bundle install --without development test mysql --path vendor/bundle --no-deployment
+
+    > These are the same commands you used in the [Install Gems section](#install-gems) with `--path vendor/bundle --no-deployment` instead of `--deployment`.
+
+-   Start GitLab:
+
+        sudo service gitlab start
+
+### Examples
+
+If you have successfully set up a provider that is not shipped with GitLab itself, please let us know.
+
+You can help others by reporting successful configurations and probably share a few insights or provide warnings for common errors or pitfalls by sharing your experience [in the public Wiki](https://github.com/gitlabhq/gitlab-public-wiki/wiki/Custom-omniauth-provider-configurations).
+
+While we can't officially support every possible authentication mechanism out there, we'd like to at least help those with specific needs.
diff --git a/doc/integration/shibboleth.md b/doc/integration/shibboleth.md
new file mode 100644
index 00000000000..78317a5c0f2
--- /dev/null
+++ b/doc/integration/shibboleth.md
@@ -0,0 +1,78 @@
+# Shibboleth OmniAuth Provider
+
+This documentation is for enabling shibboleth with gitlab-omnibus package.
+
+In order to enable Shibboleth support in gitlab we need to use Apache instead of Nginx (It may be possible to use Nginx, however I did not found way to easily configure nginx that is bundled in gitlab-omnibus package). Apache uses mod_shib2 module for shibboleth authentication and can pass attributes as headers to omniauth-shibboleth provider. 
+
+
+To enable the Shibboleth OmniAuth provider you must:
+
+1. Configure Apache shibboleth module. Installation and configuration of module it self is out of scope of this document. 
+Check https://wiki.shibboleth.net/ for more info.
+
+1. You can find Apache config in gitlab-reciepes (https://github.com/gitlabhq/gitlab-recipes/blob/master/web-server/apache/gitlab-ssl.conf)
+
+Following changes are needed to enable shibboleth:
+
+protect omniauth-shibboleth callback url:
+```
+  <Location /users/auth/shibboleth/callback>
+    AuthType shibboleth
+    ShibRequestSetting requireSession 1
+    ShibUseHeaders On
+    require valid-user
+  </Location>
+
+  Alias /shibboleth-sp /usr/share/shibboleth
+  <Location /shibboleth-sp>
+    Satisfy any
+  </Location>
+
+  <Location /Shibboleth.sso>
+    SetHandler shib
+  </Location>
+```
+exclude shibboleth urls from rewriting, add "RewriteCond %{REQUEST_URI} !/Shibboleth.sso" and "RewriteCond %{REQUEST_URI} !/shibboleth-sp", config should look like this:
+```
+  #apache equivalent of nginx try files
+  RewriteEngine on
+  RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
+  RewriteCond %{REQUEST_URI} !/Shibboleth.sso 
+  RewriteCond %{REQUEST_URI} !/shibboleth-sp 
+  RewriteRule .* http://127.0.0.1:8080%{REQUEST_URI} [P,QSA]
+  RequestHeader set X_FORWARDED_PROTO 'https'
+```
+
+1.  Edit /etc/gitlab/gitlab.rb configuration file, your shibboleth attributes should be in form of "HTTP_ATTRIBUTE" and you should addjust them to your need and environment. Add any other configuration you need. 
+
+File it should look like this:
+```
+external_url 'https://gitlab.example.com'
+gitlab_rails['internal_api_url'] = 'https://gitlab.example.com'
+
+# disable nginx
+nginx['enable'] = false
+
+gitlab_rails['omniauth_allow_single_sign_on'] = true
+gitlab_rails['omniauth_block_auto_created_users'] = false
+gitlab_rails['omniauth_enabled'] = true
+gitlab_rails['omniauth_providers'] = [
+  {
+    "name" => 'shibboleth',
+        "args" => {
+        "shib_session_id_field" => "HTTP_SHIB_SESSION_ID",
+        "shib_application_id_field" => "HTTP_SHIB_APPLICATION_ID",
+        "uid_field" => 'HTTP_EPPN',
+        "name_field" => 'HTTP_CN',
+        "info_fields" => { "email" => 'HTTP_MAIL'}
+        }
+  }
+]
+
+```
+1. Save changes and reconfigure gitlab: 
+```
+sudo gitlab-ctl reconfigure
+```
+
+On the sign in page there should now be a "Sign in with: Shibboleth" icon below the regular sign in form. Click the icon to begin the authentication process. You will be redirected to IdP server (Depends on your Shibboleth module configuration). If everything goes well the user will be returned to GitLab and will be signed in.