Self-hosted Omnibus install on Ubuntu with the shipped nginx reverse proxy and SSL, using JumpCloud’s SAML sso via omniauth.
Can I configure nginx+gitlab to ensure that nothing can be accessed with port 443 without SSO, so that there can be no accidental Public exposure, but without requiring the user to effectively log in twice?
– Edit –
The current omniauth config is basically this:
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
gitlab_rails['omniauth_sync_email_from_provider'] = 'saml'
gitlab_rails['omniauth_sync_profile_from_provider'] = ['saml']
gitlab_rails['omniauth_sync_profile_attributes'] = ['email', 'name', 'nickname', 'location', 'memberOf']
gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'saml'
gitlab_rails['omniauth_block_auto_created_users'] = false
#gitlab_rails['omniauth_auto_link_ldap_user'] = true
gitlab_rails['omniauth_auto_link_saml_user'] = true
gitlab_rails['omniauth_auto_link_user'] = ['saml']
#gitlab_rails['omniauth_external_providers'] = ['google_oauth2']
#gitlab_rails['omniauth_allow_bypass_two_factor'] = ['saml']
gitlab_rails['omniauth_providers'] = [
{
name: "saml",
label: "JumpCloud SSO",
group_attribute: 'memberOf',
required_groups: [...jumpcloud group name...],
args: {
assertion_consumer_service_url: "https://gitlab....yadda.../users/auth/saml/callback",
idp_cert_fingerprint: "00:...yadda...:6B",
idp_sso_target_url: "https://sso.jumpcloud.com/saml2/gitlab",
name_identifier_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
attribute_statements: { nickname: ['nickname'] },
}
}
]