mirror of
https://github.com/sameersbn/docker-gitlab.git
synced 2026-01-18 13:58:25 +00:00
expose SAML OAuth provider configuration. Closes #333
This commit is contained in:
Sameer Naik
parent
1e1f514106
commit
d4f23c2674
@ -2,6 +2,9 @@
|
||||
|
||||
This file only reflects the changes that are made in the the docker image. Please refer to the upstream GitLab [CHANGELOG](https://github.com/gitlabhq/gitlabhq/blob/master/CHANGELOG) for the list of changes in GitLab.
|
||||
|
||||
**latest**
|
||||
- expose SAML OAuth provider configuration
|
||||
|
||||
**7.12.2-2**
|
||||
- enable persistence `.secret` file used in 2FA
|
||||
|
||||
|
||||
14
README.md
14
README.md
@ -40,6 +40,7 @@
|
||||
- [Google](#google)
|
||||
- [Twitter](#twitter)
|
||||
- [GitHub](#github)
|
||||
- [SAML](#saml)
|
||||
- [External Issue Trackers](#external-issue-trackers)
|
||||
- [Mapping host user and group](#mapping-host-user-and-group)
|
||||
- [Piwik](#piwik)
|
||||
@ -663,6 +664,14 @@ Once you have the Client ID and secret generated, configure them using the `OAUT
|
||||
|
||||
For example, if your Client ID is `xxx` and the Client secret is `yyy`, then adding `--env='OAUTH_GITHUB_API_KEY=xxx' --env='OAUTH_GITHUB_APP_SECRET=yyy'` to the docker run command enables support for GitHub OAuth.
|
||||
|
||||
#### SAML
|
||||
|
||||
GitLab can be configured to act as a SAML 2.0 Service Provider (SP). This allows GitLab to consume assertions from a SAML 2.0 Identity Provider (IdP) such as Microsoft ADFS to authenticate users. Please refer to the GitLab [documentation](http://doc.gitlab.com/ce/integration/saml.html).
|
||||
|
||||
The following parameters have to be configured to enable SAML OAuth support in this image: `OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL`, `OAUTH_SAML_IDP_CERT_FINGERPRINT`, `OAUTH_SAML_IDP_SSO_TARGET_URL`, `OAUTH_SAML_ISSUER` and `OAUTH_SAML_NAME_IDENTIFIER_FORMAT`
|
||||
|
||||
Please refer to [Available Configuration Parameters](#available-configuration-parameters) for the default configurations of these parameters.
|
||||
|
||||
### External Issue Trackers
|
||||
|
||||
Since version `7.12.2-2` support for external issue trackers can be enabled in the "Service Templates" section of the settings panel.
|
||||
@ -792,6 +801,11 @@ Below is the complete list of available options that can be used to customize yo
|
||||
- **OAUTH_GITLAB_APP_SECRET**: GitLab App Client secret. No defaults.
|
||||
- **OAUTH_BITBUCKET_API_KEY**: BitBucket App Client ID. No defaults.
|
||||
- **OAUTH_BITBUCKET_APP_SECRET**: BitBucket App Client secret. No defaults.
|
||||
- **OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL**: The URL at which the SAML assertion should be received. When `GITLAB_HTTPS=true`, defaults to `https://${GITLAB_HOST}/users/auth/saml/callback` else defaults to `http://${GITLAB_HOST}/users/auth/saml/callback`.
|
||||
- **OAUTH_SAML_IDP_CERT_FINGERPRINT**: The SHA1 fingerprint of the certificate. No Defaults.
|
||||
- **OAUTH_SAML_IDP_SSO_TARGET_URL**: The URL to which the authentication request should be sent. No defaults.
|
||||
- **OAUTH_SAML_ISSUER**: The name of your application. When `GITLAB_HTTPS=true`, defaults to `https://${GITLAB_HOST}` else defaults to `http://${GITLAB_HOST}`.
|
||||
- **OAUTH_SAML_NAME_IDENTIFIER_FORMAT**: Describes the format of the username required by GitLab, Defaults to `urn:oasis:names:tc:SAML:2.0:nameid-format:transient`
|
||||
- **GITLAB_GRAVATAR_ENABLED**: Enables gravatar integration. Defaults to `true`.
|
||||
- **GITLAB_GRAVATAR_HTTP_URL**: Sets a custom gravatar url. Defaults to `http://www.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon`. This can be used for [Libravatar integration](http://doc.gitlab.com/ce/customization/libravatar.html).
|
||||
- **GITLAB_GRAVATAR_HTTPS_URL**: Same as above, but for https. Defaults to `https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon`.
|
||||
|
||||
@ -221,14 +221,13 @@ production: &base
|
||||
args: { scope: '{{OAUTH_GITLAB_SCOPE}}' } }
|
||||
- { name: 'bitbucket', app_id: '{{OAUTH_BITBUCKET_API_KEY}}',
|
||||
app_secret: '{{OAUTH_BITBUCKET_APP_SECRET}}'}
|
||||
# - { name: 'saml',
|
||||
# args: {
|
||||
# assertion_consumer_service_url: 'https://gitlab.example.com/users/auth/saml/callback',
|
||||
# idp_cert_fingerprint: '43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8',
|
||||
# idp_sso_target_url: 'https://login.example.com/idp',
|
||||
# issuer: 'https://gitlab.example.com',
|
||||
# name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
|
||||
# } }
|
||||
- { name: 'saml',
|
||||
args: {
|
||||
assertion_consumer_service_url: '{{OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL}}',
|
||||
idp_cert_fingerprint: '{{OAUTH_SAML_IDP_CERT_FINGERPRINT}}',
|
||||
idp_sso_target_url: '{{OAUTH_SAML_IDP_SSO_TARGET_URL}}',
|
||||
issuer: '{{OAUTH_SAML_ISSUER}}',
|
||||
name_identifier_format: '{{OAUTH_SAML_NAME_IDENTIFIER_FORMAT}}' } }
|
||||
|
||||
|
||||
|
||||
|
||||
@ -127,6 +127,20 @@ OAUTH_GITLAB_APP_SECRET=${OAUTH_GITLAB_APP_SECRET:-}
|
||||
OAUTH_BITBUCKET_API_KEY=${OAUTH_BITBUCKET_API_KEY:-}
|
||||
OAUTH_BITBUCKET_APP_SECRET=${OAUTH_BITBUCKET_APP_SECRET:-}
|
||||
|
||||
case $GITLAB_HTTPS in
|
||||
true)
|
||||
OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL=${OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL:-https://${GITLAB_HOST}/users/auth/saml/callback}
|
||||
OAUTH_SAML_ISSUER=${OAUTH_SAML_ISSUER:-https://${GITLAB_HOST}}
|
||||
;;
|
||||
false)
|
||||
OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL=${OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL:-http://${GITLAB_HOST}/users/auth/saml/callback}
|
||||
OAUTH_SAML_ISSUER=${OAUTH_SAML_ISSUER:-http://${GITLAB_HOST}}
|
||||
;;
|
||||
esac
|
||||
OAUTH_SAML_IDP_CERT_FINGERPRINT=${OAUTH_SAML_IDP_CERT_FINGERPRINT:-}
|
||||
OAUTH_SAML_IDP_SSO_TARGET_URL=${OAUTH_SAML_IDP_SSO_TARGET_URL:-}
|
||||
OAUTH_SAML_NAME_IDENTIFIER_FORMAT=${OAUTH_SAML_NAME_IDENTIFIER_FORMAT:-urn:oasis:names:tc:SAML:2.0:nameid-format:transient}
|
||||
|
||||
GOOGLE_ANALYTICS_ID=${GOOGLE_ANALYTICS_ID:-}
|
||||
|
||||
PIWIK_URL=${PIWIK_URL:-}
|
||||
@ -567,6 +581,22 @@ else
|
||||
sudo -HEu ${GITLAB_USER} sed '/{{OAUTH_BITBUCKET_APP_SECRET}}/d' -i config/gitlab.yml
|
||||
fi
|
||||
|
||||
# saml
|
||||
if [[ -n ${OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL} && \
|
||||
-n ${OAUTH_SAML_IDP_CERT_FINGERPRINT} && \
|
||||
-n ${OAUTH_SAML_IDP_SSO_TARGET_URL} && \
|
||||
-n ${OAUTH_SAML_ISSUER} && \
|
||||
-n ${OAUTH_SAML_NAME_IDENTIFIER_FORMAT} ]]; then
|
||||
OAUTH_ENABLED=true
|
||||
sudo -HEu ${GITLAB_USER} sed 's,{{OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL}},'"${OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL}"',' -i config/gitlab.yml
|
||||
sudo -HEu ${GITLAB_USER} sed 's/{{OAUTH_SAML_IDP_CERT_FINGERPRINT}}/'"${OAUTH_SAML_IDP_CERT_FINGERPRINT}"'/' -i config/gitlab.yml
|
||||
sudo -HEu ${GITLAB_USER} sed 's,{{OAUTH_SAML_IDP_SSO_TARGET_URL}},'"${OAUTH_SAML_IDP_SSO_TARGET_URL}"',' -i config/gitlab.yml
|
||||
sudo -HEu ${GITLAB_USER} sed 's,{{OAUTH_SAML_ISSUER}},'"${OAUTH_SAML_ISSUER}"',' -i config/gitlab.yml
|
||||
sudo -HEu ${GITLAB_USER} sed 's/{{OAUTH_SAML_NAME_IDENTIFIER_FORMAT}}/'"${OAUTH_SAML_NAME_IDENTIFIER_FORMAT}"'/' -i config/gitlab.yml
|
||||
else
|
||||
sudo -HEu ${GITLAB_USER} sed "/name: 'saml'/,/name_identifier_format:/d" -i config/gitlab.yml
|
||||
fi
|
||||
|
||||
# google analytics
|
||||
if [[ -n ${GOOGLE_ANALYTICS_ID} ]]; then
|
||||
sudo -HEu ${GITLAB_USER} sed 's/{{GOOGLE_ANALYTICS_ID}}/'"${GOOGLE_ANALYTICS_ID}"'/' -i config/gitlab.yml
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user