Page tree
Skip to end of metadata
Go to start of metadata
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = true
#gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'saml' # If you want to redirect users you can enable this
gitlab_rails['omniauth_block_auto_created_users'] = false # Set to false if you want to create users who don't exist yet
gitlab_rails['omniauth_auto_link_saml_user'] = true
gitlab_rails['omniauth_providers'] = [
  {
    "name" => "saml",
    "label" => "SAML Login",
    "groups_attribute" => "member",
    "admin_groups" => [],
    "args" => {
      certificate: '-----BEGIN CERTIFICATE-----
[REDACTED]
-----END CERTIFICATE-----',
      private_key: '-----BEGIN PRIVATE KEY-----
[REDACTED]
-----END PRIVATE KEY-----',
      security: {
        authn_requests_signed: true, # enable signature on AuthNRequest
        want_assertions_signed: true, # enable the requirement of signed assertion
        embed_sign: true, # embedded signature or HTTP GET parameter signature
        metadata_signed: true, # enable signature on Metadata
        signature_method: 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
        digest_method: 'http://www.w3.org/2001/04/xmlenc#sha256',
      },
      "assertion_consumer_service_url" => "https://gitlab.example.com/users/auth/saml/callback",
      "idp_cert" => "-----BEGIN CERTIFICATE-----
[REDACTED]
-----END CERTIFICATE-----",
      "idp_sso_target_url" => "https://idp.example.com/idp/profile/SAML2/Redirect/SSO",
      "idp_slo_target_url" => "https://idp.example.com/idp/profile/SAML2/Redirect/SLO",
      "issuer" => "gitlab.example.com",
      "attribute_service_name" => "GitLab",
      attribute_statements: {
                        first_name: ['urn:oid:2.5.4.42'],
                        last_name: ['urn:oid:2.5.4.4'],
                        name: ['urn:oid:2.5.4.3'],
                        nickname: ['urn:oid:1.2.840.113556.1.4.221'],
                        email: ['urn:oid:0.9.2342.19200300.100.1.3'],
                        member: ['urn:oid:2.5.4.31'] },
      "name_identifier_format" => "urn:oasis:names:tc:SAML:1.1:nameid-format:uid"
    }
  }
]


  • No labels