diff --git a/README.md b/README.md index 10b6e9af..7076bfc8 100644 --- a/README.md +++ b/README.md @@ -916,6 +916,12 @@ Below is the complete list of available options that can be used to customize yo - **OAUTH_SAML_ISSUER**: The name of your application. When `GITLAB_HTTPS=true`, defaults to `https://${GITLAB_HOST}` else defaults to `http://${GITLAB_HOST}`. - **OAUTH_SAML_LABEL**: The "Sign in with" button label. Defaults to "Our SAML Provider". - **OAUTH_SAML_NAME_IDENTIFIER_FORMAT**: Describes the format of the username required by GitLab, Defaults to `urn:oasis:names:tc:SAML:2.0:nameid-format:transient` +- **OAUTH_SAML_GROUPS_ATTRIBUTE**: Map groups attribute in a SAMLResponse to external groups. No defaults. +- **OAUTH_SAML_EXTERNAL_GROUPS**: List of external groups in a SAMLResponse. Value is comma separated list of single quoted groups. Example: `'group1','group2'`. No defaults. +- **OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL**: Map 'email' attribute name in a SAMLResponse to entries in the OmniAuth info hash, No defaults. See [Gitlab documentation](http://doc.gitlab.com/ce/integration/saml.html#attribute_statements) for more details. +- **OAUTH_SAML_ATTRIBUTE_STATEMENTS_NAME**: Map 'name' attribute in a SAMLResponse to entries in the OmniAuth info hash, No defaults. See [Gitlab documentation](http://doc.gitlab.com/ce/integration/saml.html#attribute_statements) for more details. +- **OAUTH_SAML_ATTRIBUTE_STATEMENTS_FIRST_NAME**: Map 'first_name' attribute in a SAMLResponse to entries in the OmniAuth info hash, No defaults. See [Gitlab documentation](http://doc.gitlab.com/ce/integration/saml.html#attribute_statements) for more details. +- **OAUTH_SAML_ATTRIBUTE_STATEMENTS_LAST_NAME**: Map 'last_name' attribute in a SAMLResponse to entries in the OmniAuth info hash, No defaults. See [Gitlab documentation](http://doc.gitlab.com/ce/integration/saml.html#attribute_statements) for more details. - **OAUTH_CROWD_SERVER_URL**: Crowd server url. No defaults. - **OAUTH_CROWD_APP_NAME**: Crowd server application name. No defaults. - **OAUTH_CROWD_APP_PASSWORD**: Crowd server application password. No defaults. diff --git a/assets/runtime/config/gitlabhq/gitlab.yml b/assets/runtime/config/gitlabhq/gitlab.yml index 04959783..01200317 100644 --- a/assets/runtime/config/gitlabhq/gitlab.yml +++ b/assets/runtime/config/gitlabhq/gitlab.yml @@ -373,13 +373,18 @@ production: &base app_secret: '{{OAUTH_TWITTER_APP_SECRET}}' } - { name: 'saml', label: '{{OAUTH_SAML_LABEL}}', - groups_attribute: 'Groups', - external_groups: ['Contractors', 'Freelancers'], + groups_attribute: '{{OAUTH_SAML_GROUPS_ATTRIBUTE}}', + external_groups: [{{OAUTH_SAML_EXTERNAL_GROUPS}}], args: { assertion_consumer_service_url: '{{OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL}}', idp_cert_fingerprint: '{{OAUTH_SAML_IDP_CERT_FINGERPRINT}}', idp_sso_target_url: '{{OAUTH_SAML_IDP_SSO_TARGET_URL}}', issuer: '{{OAUTH_SAML_ISSUER}}', + attribute_statements: { + first_name: ['{{OAUTH_SAML_ATTRIBUTE_STATEMENTS_FIRST_NAME}}'], + last_name: ['{{OAUTH_SAML_ATTRIBUTE_STATEMENTS_LAST_NAME}}'], + name: ['{{OAUTH_SAML_ATTRIBUTE_STATEMENTS_NAME}}'], + email: ['{{OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL}}'] }, name_identifier_format: '{{OAUTH_SAML_NAME_IDENTIFIER_FORMAT}}' } } - { name: 'crowd', args: { diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults index 85c514ce..9d0112a3 100644 --- a/assets/runtime/env-defaults +++ b/assets/runtime/env-defaults @@ -273,6 +273,12 @@ OAUTH_SAML_LABEL=${OAUTH_SAML_LABEL:-'Our SAML Provider'} OAUTH_SAML_IDP_CERT_FINGERPRINT=${OAUTH_SAML_IDP_CERT_FINGERPRINT:-} OAUTH_SAML_IDP_SSO_TARGET_URL=${OAUTH_SAML_IDP_SSO_TARGET_URL:-} OAUTH_SAML_NAME_IDENTIFIER_FORMAT=${OAUTH_SAML_NAME_IDENTIFIER_FORMAT:-urn:oasis:names:tc:SAML:2.0:nameid-format:transient} +OAUTH_SAML_GROUPS_ATTRIBUTE=${OAUTH_SAML_GROUPS_ATTRIBUTE:-} +OAUTH_SAML_EXTERNAL_GROUPS=${OAUTH_SAML_EXTERNAL_GROUPS:-} +OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL=${OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL:-} +OAUTH_SAML_ATTRIBUTE_STATEMENTS_NAME=${OAUTH_SAML_ATTRIBUTE_STATEMENTS_NAME:-} +OAUTH_SAML_ATTRIBUTE_STATEMENTS_LAST_NAME=${OAUTH_SAML_ATTRIBUTE_STATEMENTS_LAST_NAME:-} +OAUTH_SAML_ATTRIBUTE_STATEMENTS_FIRST_NAME=${OAUTH_SAML_ATTRIBUTE_STATEMENTS_FIRST_NAME:-} ### CAS3 OAUTH_CAS3_LABEL=${OAUTH_CAS3_LABEL:-cas3} diff --git a/assets/runtime/functions b/assets/runtime/functions index 0b396803..d0a41b36 100644 --- a/assets/runtime/functions +++ b/assets/runtime/functions @@ -514,6 +514,23 @@ gitlab_configure_oauth_bitbucket() { fi } +gitlab_configure_oauth_saml_attribute_statements() { + if [[ -n ${OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL} && \ + -n ${OAUTH_SAML_ATTRIBUTE_STATEMENTS_NAME} ]]; then + echo "Configuring gitlab::oauth::saml::attribute_statements..." + update_template ${GITLAB_CONFIG} \ + OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL \ + OAUTH_SAML_ATTRIBUTE_STATEMENTS_NAME \ + OAUTH_SAML_ATTRIBUTE_STATEMENTS_FIRST_NAME \ + OAUTH_SAML_ATTRIBUTE_STATEMENTS_LAST_NAME + # Remove undefined optional attributes + exec_as_git sed -i "/first_name: \\[''\\],/d" ${GITLAB_CONFIG} + exec_as_git sed -i "/last_name: \\[''\\],/d" ${GITLAB_CONFIG} + else + exec_as_git sed -i "/attribute_statements:/,/{{OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL}}/d" ${GITLAB_CONFIG} + fi +} + gitlab_configure_oauth_saml() { if [[ -n ${OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL} && \ -n ${OAUTH_SAML_IDP_CERT_FINGERPRINT} && \ @@ -528,7 +545,12 @@ gitlab_configure_oauth_saml() { OAUTH_SAML_IDP_CERT_FINGERPRINT \ OAUTH_SAML_IDP_SSO_TARGET_URL \ OAUTH_SAML_ISSUER \ - OAUTH_SAML_NAME_IDENTIFIER_FORMAT + OAUTH_SAML_NAME_IDENTIFIER_FORMAT \ + OAUTH_SAML_GROUPS_ATTRIBUTE \ + OAUTH_SAML_EXTERNAL_GROUPS + exec_as_git sed -i "/groups_attribute: '',/d" ${GITLAB_CONFIG} + exec_as_git sed -i "/external_groups: \\[\\],/d" ${GITLAB_CONFIG} + gitlab_configure_oauth_saml_attribute_statements else exec_as_git sed -i "/name: 'saml'/,/{{OAUTH_SAML_NAME_IDENTIFIER_FORMAT}}/d" ${GITLAB_CONFIG} fi