2. IT
    3. Gitlab添加Shibboleth认证方式

    Gitlab添加Shibboleth认证方式

    xiaoxiao2022-06-30  47

    Gitlab添加Shibboleth认证方式

    官方文档: https://docs.gitlab.com/ce/integration/omniauth.html#supported-providers    

    Shibboleth OmniAuth Provider:https://docs.gitlab.com/ce/integration/shibboleth.html

      OmniAuth  是一个利用 Rack 中间件实现的灵活的认证系统(第三方登录)

    1. Initial OmniAuth Configuration(初始OmniAuth配置)

    此部分的官方文档:https://docs.gitlab.com/ce/integration/omniauth.html#supported-providers (1) 打开gitlab配置文件 sudo vi /etc/gitlab/gitlab.rb (2) 找到下面的内部,作更改: gitlab_rails['omniauth_enabled'] = true gitlab_rails['omniauth_allow_single_sign_on'] = ['shibboleth'] gitlab_rails['omniauth_block_auto_created_users'] = true

    2.Shibboleth OmniAuth Provider

    此部分的官方文档:https://docs.gitlab.com/ce/integration/shibboleth.html 要使gitlab支持shibboleth,我们需要把gitlab默认的Nginx改为Apache。 Apache使用mod_shib2模块支持shibboleth认证,并作为headers给omniauth-shibboleth provider传递属性。 要使 Shibboleth OmniAuth provide可用,首先需要: -------------------------------------------------------------------------------------------------------------------------- (1)配置Apache shibboleth 模块。 https://github.com/rainymoon911/online_experiment_platform/tree/master/Shibboleth   3.SP配置 (2)配置Apache          sudo vi /etc/apache2/conf/000-default          更改apache配置文件为这里的内容:https://github.com/gitlabhq/gitlab-recipes/blob/master/web-server/apache/gitlab-omnibus-ssl-apache24.conf) ------------------------------------------------------------------------------------------------------------------------ 完成了上面的两个配置后,更改gitlab配置文件,使shibboleth可用。  输入下面的命令: sudo vi /etc/gitlab/gitlab.rb 更改以下内容:(把https://gitlab.example.com替换为你的gitlab域名) external_url 'https://gitlab.example.com' gitlab_rails['internal_api_url'] = 'https://gitlab.example.com' # disable Nginx nginx['enable'] = false gitlab_rails['omniauth_allow_single_sign_on'] = true gitlab_rails['omniauth_block_auto_created_users'] = false gitlab_rails['omniauth_enabled'] = true gitlab_rails['omniauth_providers'] = [ { "name" => 'shibboleth', "args" => { "shib_session_id_field" => "HTTP_SHIB_SESSION_ID", "shib_application_id_field" => "HTTP_SHIB_APPLICATION_ID", "uid_field" => 'HTTP_EPPN', "name_field" => 'HTTP_CN', "info_fields" => { "email" => 'HTTP_MAIL'} } } ] 保存改动,输入下面的命令: sudo gitlab-ctl reconfigure 在gitlab的登录页面可以看到"Sign in with: Shibboleth" 图标,点击该图标就开始认证处理了,页面将会被重定向到IDP。认证结束后会重新返回Gitlab,并且登录成功。
    转载请注明原文地址: https://ju.6miu.com/read-1125626.html

    专利

    最新回复(0)