- Keycloak server should be up and running
- By default Keycloak will start on http://localhost:8180
- To install and configure Keycloak visit [https://www.keycloak.org/docs/latest/getting_started/index.html]
- Gitlab must be installed locally
- By default Gitlab starts on http://localhost:3000
- To install and configure Gitlab visit [https://docs.gitlab.com/omnibus/manual_install.html]
- Gitlab Installed package - gitlab-ce_11.1.4-ce.0_amd64.deb (Omnibus package)
- Keycloak version - Version 4.2.1.Final
GitLab can be configured to act as a SAML 2.0 Service Provider (SP). This allows GitLab to consume assertions from a SAML 2.0 Identity Provider (IdP) to authenticate users.
For this SSO implementation, Gitlab omnibus package is used. But the source package can be used as well. The configuration for the source packge is available on https://docs.gitlab.com/ee/integration/saml.html .
-
After installing Gitlab go to /etc/gitlab/
cd /etc/gitlab/
-
Then open the configuration file in an editor and do not close the editor till the end of the configuration
sudo vi gitlab.rb
-
Change the value of the
external_url
on line 13 to the adress which Gitlab starts on. The default should beexternal_url 'http://localhost:3000'
-
Now create a client in Keycloak by login to the Keycloak admin console which can be found on http://localhost:8180 by default.First,
- Create a realm
- Inside the realm console create a client and give the client id as http://localhost:3000 which is the Gitlab host address.
- Client protocol should be
saml
. - Leave client end-point as blank and save it.
-
Now create the mappers for the authentication.Mappers, as the name may suggest, allow you to map user information to parameters in the SAML 2.0 request for GitLab. An example would be to map the Username into the request for GitLab.
- Click on the client id in the client list.
- Go to
Mappers
tab in Client console and click create. - Then create the mappers as bellow.
- Name: username
- Mapper Type: User Property
- Property: Username
- Friendly Name: Username
- SAML Attribute Name: username
- SAML Attribute NameFormat: Basic
- Name: email
- Mapper Type: User Property
- Property: Email
- Friendly Name: Email
- SAML Attribute Name: email
- SAML Attribute NameFormat: Basic
- Name: first_name
- Mapper Type: User Property
- Property: FirstName
- Friendly Name: First Name
- SAML Attribute Name: first_name
- SAML Attribute NameFormat: Basic
- Name: last_name
- Mapper Type: User Property
- Property: LastName
- Friendly Name: Last Name
- SAML Attribute Name: name
- SAML Attribute NameFormat: Basic
- Name: username
-
Now get the
dsig:X509Certificate
for the created client. To get the certificate,- Go to
Installation
tab in Client console. - Choose the format as
SAML Metadata IDPSSODescriptor
and the xml file will appear with a download button. - Inside the xml find the tag
<dsig:X509Certificate>
and extract the content inside the tags. Thiscertificate id
is used in Gitlab config file.
- Go to
-
Again in the Gitlab configuration file opened in the editor, copy the bellow snippet to the config file. There in the
idp_cert
replace only theX509Certificate
with the copiedcertificate id
in the prevoius step (do not exclude the\n\n
).assertion_consumer_service_url
should be your Github host url. (http://github.host.url/users/auth/saml/callback)idp_sso_target_url
should be your Keycloak host url.And replace the realmName with the realm you created in the previous steps. (http://keycloak.host.url/auth/realms/realmName/protocol/saml)issuer
and the Keycloak client Id must be identical.
gitlab_rails['omniauth_enabled'] = true gitlab_rails['omniauth_allow_single_sign_on'] = ['saml'] gitlab_rails['omniauth_block_auto_created_users'] = false gitlab_rails['omniauth_auto_link_saml_user'] = true gitlab_rails['omniauth_providers'] = [ { name: 'saml', label: 'Company Login', ##label is the value of the button. Change it as you desire. args: { assertion_consumer_service_url: 'http://localhost:3000/users/auth/saml/callback', idp_cert: "-----BEGIN CERTIFICATE-----\nX509Certificate\n-----END CERTIFICATE-----\n", idp_sso_target_url: 'http://localhost:8180/auth/realms/demo/protocol/saml', issuer: 'http://localhost:3000', name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent', attribute_statements: { username: ['username']} } } ]
-
Save the
gitlab.rb
file and close it. -
Reconfigure/Restart the Gitlab
sudo gitlab-ctl reconfigure
-
Go to http://localhost:3000 and under the Sign in button there will be another login named
Company Login
. That is the SAML SSO configured button and once clicked it will redirect the user to Keycloak authentication page and once the user provides the credentials and Login user will be redirected to Gitlab as a registered user.
NOTE : The given gitlab.rb file is the configuration used in this setup and that is only an example. Refer it while going through the README to get a better understanding.