Self-hosted, omnibus linux installation in a VPC with JumpCloud’s SASL provider for authentication.
Periodically we have to provide external contractors/vendors access, so, we would like to guarantee that any https request is required to authenticate.
Before we bring up another service to host a proxy in-front of it to enforce that, I was hoping it might be possible to achieve within the omnibus install itself?
### OmniAuth Settings
###! Docs: https://docs.gitlab.com/ee/integration/omniauth.html
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
gitlab_rails['omniauth_sync_email_from_provider'] = 'saml'
gitlab_rails['omniauth_sync_profile_from_provider'] = ['saml']
gitlab_rails['omniauth_sync_profile_attributes'] = ['email', 'name', 'nickname', 'location', 'memberOf']
gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'saml'
gitlab_rails['omniauth_block_auto_created_users'] = false
#gitlab_rails['omniauth_auto_link_ldap_user'] = true
gitlab_rails['omniauth_auto_link_saml_user'] = true
gitlab_rails['omniauth_auto_link_user'] = ['saml']
gitlab_rails['omniauth_providers'] = [
{
name: "saml",
label: "JumpCloud SSO",
group_attribute: 'memberOf',
required_groups: ['svnusers'],
args: {
assertion_consumer_service_url: "https://<elided>/users/auth/saml/callback",
idp_cert_fingerprint: "<elided>",
idp_sso_target_url: "https://sso.jumpcloud.com/saml2/gitlab",
name_identifier_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
attribute_statements: { nickname: ['nickname'] },
}
}
]
Is this something that gitlab can be configured to enforce, other than by making everything Internal? Or is this something I’ll have to go off and figure how to build a proxy service for?