From 5cbf70aa475347e96d664b487760beeeac63d0d1 Mon Sep 17 00:00:00 2001
From: Sameer Naik <sameer@damagehead.com>
Date: Sun, 24 Apr 2016 20:10:01 +0530
Subject: [PATCH] SSO: `OAUTH_ALLOW_SSO` now specifies a comma separated list
 of providers.

---
 Changelog.md                              | 1 +
 README.md                                 | 6 +++---
 assets/runtime/config/gitlabhq/gitlab.yml | 2 +-
 assets/runtime/env-defaults               | 2 +-
 4 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/Changelog.md b/Changelog.md
index e30f8a72..3f6f1256 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -5,6 +5,7 @@ This file only reflects the changes that are made in this image. Please refer to
 **latest**
 - gitlab-shell: upgrade to v.2.7.2
 - gitlab: upgrade to CE v8.7.0
+- SSO: `OAUTH_ALLOW_SSO` now specifies a comma separated list of providers.
 
 **8.6.7**
 - added `GITLAB_SIGNUP_ENABLED` option to enable/disable signups
diff --git a/README.md b/README.md
index da5cdefe..6a18318e 100644
--- a/README.md
+++ b/README.md
@@ -661,7 +661,7 @@ Once you have the client ID and secret keys generated, configure them using the
 
 For example, if your client ID is `xxx.apps.googleusercontent.com` and client secret key is `yyy`, then adding `--env 'OAUTH_GOOGLE_API_KEY=xxx.apps.googleusercontent.com' --env 'OAUTH_GOOGLE_APP_SECRET=yyy'` to the docker run command enables support for Google OAuth.
 
-You can also restrict logins to a single domain by adding `--env 'OAUTH_GOOGLE_RESTRICT_DOMAIN=example.com'`. This is particularly useful when combined with `--env 'OAUTH_ALLOW_SSO=true'` and `--env 'OAUTH_BLOCK_AUTO_CREATED_USERS=false'`.
+You can also restrict logins to a single domain by adding `--env 'OAUTH_GOOGLE_RESTRICT_DOMAIN=example.com'`.
 
 #### Facebook
 
@@ -883,8 +883,8 @@ Below is the complete list of available options that can be used to customize yo
 - **LDAP_BASE**: Base where we can search for users. No default.
 - **LDAP_USER_FILTER**: Filter LDAP users. No default.
 - **OAUTH_ENABLED**: Enable OAuth support. Defaults to `true` if any of the support OAuth providers is configured, else defaults to `false`.
-- **OAUTH_AUTO_SIGN_IN_WITH_PROVIDER**: Automatically sign in with a specific OAuth provider without showing GitLab sign-in page. Accepted values are `google_oauth2`, `twitter`, `github`, `gitlab`, `bitbucket` and `saml`. No default.
-- **OAUTH_ALLOW_SSO**: This allows users to login without having a user account first. User accounts will be created automatically when authentication was successful. Defaults to `false`.
+- **OAUTH_AUTO_SIGN_IN_WITH_PROVIDER**: Automatically sign in with a specific OAuth provider without showing GitLab sign-in page. Accepted values are `cas3`, `github`, `bitbucket`, `gitlab`, `google_oauth2`, `facebook`, `twitter`, `saml`, `crowd`, `auth0` and `azure_oauth2`. No default.
+- **OAUTH_ALLOW_SSO**: Comma separated list of oauth providers for single sign-on. This allows users to login without having a user account. The account is created automatically when authentication is successful. Accepted values are `cas3`, `github`, `bitbucket`, `gitlab`, `google_oauth2`, `facebook`, `twitter`, `saml`, `crowd`, `auth0` and `azure_oauth2`. No default.
 - **OAUTH_BLOCK_AUTO_CREATED_USERS**: Locks down those users until they have been cleared by the admin. Defaults to `true`.
 - **OAUTH_AUTO_LINK_LDAP_USER**: Look up new users in LDAP servers. If a match is found (same uid), automatically link the omniauth identity with the LDAP account. Defaults to `false`.
 - **OAUTH_AUTO_LINK_SAML_USER**: Allow users with existing accounts to login and auto link their account via SAML login, without having to do a manual login first and manually add SAML. Defaults to `false`.
diff --git a/assets/runtime/config/gitlabhq/gitlab.yml b/assets/runtime/config/gitlabhq/gitlab.yml
index 3af5ca82..06f1a9b1 100644
--- a/assets/runtime/config/gitlabhq/gitlab.yml
+++ b/assets/runtime/config/gitlabhq/gitlab.yml
@@ -313,7 +313,7 @@ production: &base
     # This allows users to login without having a user account first. Define the allowed providers
     # using an array, e.g. ["saml", "twitter"], or as true/false to allow all providers or none.
     # User accounts will be created automatically when authentication was successful.
-    allow_single_sign_on: {{OAUTH_ALLOW_SSO}}
+    allow_single_sign_on: [{{OAUTH_ALLOW_SSO}}]
 
     # Locks down those users until they have been cleared by the admin (default: true).
     block_auto_created_users: {{OAUTH_BLOCK_AUTO_CREATED_USERS}}
diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults
index 1057f180..96a4edeb 100644
--- a/assets/runtime/env-defaults
+++ b/assets/runtime/env-defaults
@@ -213,7 +213,7 @@ GITLAB_GRAVATAR_HTTPS_URL=${GITLAB_GRAVATAR_HTTPS_URL:-}
 ## OAUTH
 OAUTH_ENABLED=${OAUTH_ENABLED:-}
 OAUTH_AUTO_SIGN_IN_WITH_PROVIDER=${OAUTH_AUTO_SIGN_IN_WITH_PROVIDER:-}
-OAUTH_ALLOW_SSO=${OAUTH_ALLOW_SSO:-false}
+OAUTH_ALLOW_SSO=${OAUTH_ALLOW_SSO:-}
 OAUTH_BLOCK_AUTO_CREATED_USERS=${OAUTH_BLOCK_AUTO_CREATED_USERS:-true}
 OAUTH_AUTO_LINK_LDAP_USER=${OAUTH_AUTO_LINK_LDAP_USER:-false}
 OAUTH_AUTO_LINK_SAML_USER=${OAUTH_AUTO_LINK_SAML_USER:-false}