GitLab SSO with SAML

This topic describes how to configure single sign-on (SSO) for GitLab in IDaaS using the SAML protocol.

Background

GitLab is an open-source repository management system that uses Git for code management and provides a web-based interface for it.

Note

GitLab supports multiple SSO protocols. This topic describes how to integrate GitLab by using SAML. For more information, see the official GitLab SAML documentation.

Procedure

Step 1: Configure the IDaaS application

As an administrator, navigate to Applications > Marketplace and search for the GitLab SAML application. After confirming the application name, add it.

After you create the application, you are automatically redirected to the SSO configuration page.

Configure SSO

Enter your GitLab service address. Make sure the address does not end with a forward slash (/).

Leave the other options at their default values and click Save.

Note

Application account: By default, the IDaaS username is used as the application login identifier. GitLab supports just-in-time (JIT) provisioning, which automatically creates a GitLab account for a user during their first SSO login if one does not already exist. For more flexible options, see the general SSO configuration instructions for application accounts. Authorization scope: By default, the application is available to all users. To specify which IDaaS accounts can access the application, see the general SSO configuration instructions for application accounts.

The parameters required to configure GitLab are listed below the main configuration section. After saving the SSO configuration, go to the Application configuration information page to obtain the following parameters: IdP Metadata URL (you can copy the URL or download the file), IdP Entity ID, IdP Sign-in URL, SLO URL (currently unsupported), and Certificate (you can copy the certificate content or download the .cer file).

Step 2: Configure GitLab

Edit the GitLab configuration file in your deployment environment, as described in the official GitLab documentation.

# For Omnibus GitLab installations, use this command:
sudo editor /etc/gitlab/gitlab.rb

# For installations from source, use these commands:
cd /home/git/gitlab
sudo -u git -H editor config/gitlab.yml

The following parameters are for an Omnibus installation. For source installations, the parameters are the same, but the format is different. For details, see the official GitLab documentation.

gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_auto_link_saml_user'] = true
gitlab_rails['omniauth_providers']=[
  {
    name: 'saml', 
    args: {
      name: 'saml', 
      assertion_consumer_service_url:'http://gitlab.example.com/users/auth/saml/callback',
      issuer:'http://gitlab.example.com/users/auth/saml',
      idp_cert_fingerprint:'23:f8:77:03:fc:69:4c:da:ac:7e:4a:42:5a:87:5a:b3:ad:a8:d9:df',
      idp_sso_target_url:'https://example.aliyunidaas.com/login/app/app_mivpoqqmz7zrslxcmlyxa25me4/saml2/sso',
      name_identifier_format:'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
      attribute_statements: { 
        nickname: ['username'],
      },
    },
    label:'EIAM2.0'
  }
]

You must modify the following parameters:

Parameter	Description	Example
`args.assertion_consumer_service_url`	The assertion consumer service (ACS) URL for GitLab. This is typically the GitLab service address followed by `/users/auth/saml/callback`.	`http://gitlab.example.com/users/auth/saml/c****ack`
`args.issuer`	The issuer for GitLab. This is typically the GitLab service address followed by `/users/auth/saml`.	`http://gitlab.****ple.com/users/auth/saml`
`args.idp_sso_target_url`	The IdP Sign-in URL, obtained from IDaaS.	`https://example.aliyunidaas.com/login/app/app_mi****qmz7zrslxcmlyxa25me4/saml2/sso`
`args.idp_cert_fingerprint`	This is the SHA1 fingerprint of the IdP's public key certificate. To obtain this value, download the certificate and inspect its properties. If the fingerprint is missing colons (`:`), you must add them manually.	`23:f8:77:03:fc:69:4c:da:ac:7e:4a:42:5a:87:5a:b3:ad:a8:d****`

After completing the configuration, restart GitLab with the appropriate command.

# For Omnibus GitLab installations, reload the configuration and restart the service:
sudo gitlab-ctl reconfigure
sudo gitlab-ctl restart

# For installations from source:
# On systems that use systemd
sudo systemctl restart gitlab.target

# On systems that use SysV init
sudo service gitlab restart

After the restart, a login option for Alibaba Cloud IDaaS should appear on the GitLab login page.

The configuration is complete.

Step 3: Test the SSO

You can now test the GitLab SSO integration.

This SAML-based integration supports both IdP-initiated SSO (from Alibaba Cloud IDaaS) and SP-initiated SSO (from GitLab).

IdP-initiated SSO

Log on to the IDaaS portal with an IDaaS account authorized for GitLab, and click the GitLab icon to initiate SSO.

After configuration, the GitLab application card appears on the My Applications page in the IDaaS portal. If the card shows a message like "Application account not configured", you must first configure an application account for the current user to initiate IdP-initiated SSO.

SP-initiated SSO

In a private browser window, open the GitLab login page and click the Alibaba Cloud IDaaS button. You are then redirected to the IDaaS login page.

After IDaaS verifies your identity, you are logged in to GitLab.