Open in app

Sign in

Write

Sign in

GitLab Authentication Data Flow with OKTA (GitLab Community Edition)

Satyendra Kumar
2 min readMay 29, 2020
GitLab Authentication Data Flow with OKTA

The Single Sign On with On-Premise GitLab Community Edition is a bit trouble some as it lacks proper documentation and I faced the same issues while implementation. Usually with Gitlab cloud there is a proper documentation and many helps in forum.

After implementation of On-Premise GitLab Community Edition I felt sharing the steps which can really make a difference for somebody who has issues doing that.

Here are the steps if you are using SAML as Identity protocol :

System Requirements:

Ubuntu 18.04.2 LTS (GNU/Linux 4.18.0–1024-azure x86_64)

The Gitlab in this case is working under docker container and the version of Docker is18.09.7, build 2d0083d.

  • After you login using ssh at the prompt, type
  • docker exec -ti gitlab bash
  • This will take you inside the container. Once inside, you have to change directory to /etc/gitlab
  • cd /etc/gitlab
  • The file gitlab.rb is inside that directory. You can use your favorite editor to review the file.
  • vi /var/opt/gitlab/gitlab-rails/etc/gitlab.yml

## Email settings

email_enabled:

# Email address used in the “From” field in mails sent by GitLab

email_from: gitlab@git01.XXX.com

## OmniAuth settings

allow_single_sign_on: [“saml”]

block_auto_created_users: false

auto_link_saml_user: true

external_providers: null

Leave the other settings in the above sections as is as git lab provides others settings.

## Auth providers ##

  • Change the value for assertion_consumer_service_url to match the HTTPS endpoint of GitLab (append users/auth/saml/callback to the HTTPS URL of your GitLab installation to generate the correct value).
  • To get the idp_cert_fingerprint fingerprint, first download the certificate from the Okta app you registered and then run: openssl x509 -in okta.cert -noout -fingerprint. Substitute okta.cert with the location of your certificate.
  • Change the value of idp_sso_target_url, with the value of the Identity Provider Single Sign-On URL from the step when you configured the Okta app.
  • Change the value of issuer to the value of the Audience Restriction from your Okta app configuration. This will identify GitLab to the IdP.
  • Leave name_identifier_format as-is.

Example below:

{“name”:”saml”,

args”:{

assertion_consumer_service_url”:”https://git01.xxxx.com/users/auth/saml/callback",

idp_cert_fingerprint”:”5A:7B:BB:XX:DD:1D:84:35:XX:25:F1:A2:65:FE:6F:28:77:D9:34:F2",

idp_sso_target_url”:”https://XXX.okta.com/app/Companyproduction_gitlab01_1/exk6ghXXX0WkSbSpI2p7/sso/saml",

issuer”:”https://git01.XXXX.com","name_identifier_format":"urn:oasis:names:tc:SAML:2.0:nameid-format:transient"},

label”:”Okta”}

OKTA side settings for this will look like below when you will create a SMAL2.0 app inside OKTA -

The important this is ATTRIBUTE STATEMENTS and GROUP ATTRIBUTE STATEMENTS.

You can further add the group under assignment for the OKTA app as per your need.

Please like this post if you find it useful.

--

--

Satyendra Kumar

Written by Satyendra Kumar

17 Followers

Sr. Enterprise Architect | Digital Transformation Strategist | AI/ML. Passionate about new ideas & innovations, product management and scalability of solutions.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams