Configuring external groups with SAML OmniAuth Provider


#1

Hi,

I’m trying to configure external groups for SAML OmniAuth Provider as documented at https://docs.gitlab.com/ce/integration/saml.html#requirements but it seems not to work. I would like to use the eduPersonAffiliation attribute as groups_attribute, but our IdP returns attribute statements using the URI name format. So I’ve set the groups_attribute to urn:oid:1.3.6.1.4.1.5923.1.1.1.1. Below are all relevant SAML settings used. Users with affiliation “affiliate” should be marked as external user, but nothing happens. No errors are given either.

request_attributes: [
  {
    name: "urn:oid:0.9.2342.19200300.100.1.3",
    name_format: "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
    friendly_name: 'mail'
  },
  {
    name: "urn:oid:2.5.4.4",
    name_format: "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
    friendly_name: 'sn'
  },
  {
    name: "urn:oid:2.5.4.42",
    name_format: "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
    friendly_name: 'givenName'
  },
  {
    name: "urn:oid:0.9.2342.19200300.100.1.1",
    name_format: "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
    friendly_name: 'uid'
  },
  {
    name: "urn:oid:2.5.4.3",
    name_format: "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
    friendly_name: 'cn'
  },
  {
    name: "urn:oid:1.3.6.1.4.1.5923.1.1.1.1",
    name_format: "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
    friendly_name: 'eduPersonAffiliation'
  }
],
attribute_statements: {
    email: ['mail','email','urn:oid:0.9.2342.19200300.100.1.3'],
    name: ['cn','urn:oid:2.5.4.3'],
    first_name: ['givenName','urn:oid:2.5.4.42'],
    last_name: ['sn','urn:oid:2.5.4.4'],
    nickname: ['uid','urn:oid:0.9.2342.19200300.100.1.1'],
    groups: ['eduPersonAffiliation','urn:oid:1.3.6.1.4.1.5923.1.1.1.1']
},
groups_attribute: "urn:oid:1.3.6.1.4.1.5923.1.1.1.1",
external_groups: ["affiliate"]

Somebody knows how to configure external_groups using URI names?


#2

Found the problem. I added the groups_artribute and external_groups to the ‘args’ hash of the saml omniauth_provider config. So it works as expected!


#3

Hello,
I’ve configure the external_groups as described in the documentation but I don’t know how to link this groups with the groups in Gitlab.
Do I have to create them inside Gitlab (already done, but I can’t see the effects)?
Or will the groups be created automatically ?

Thanks in advance for your answer?


#4

Hi,
The external_groups feature doesn’t map to GitLab groups. It’s intended to set the “external user” flag of the user account if the SAML attribute configured in “groups_attribute” contains a group configured in “external_groups”.

For example to create an external user when the SAML eduPersonAffiliation attribute contains the value “affiliate”, you’ll have to configure:

    groups_attribute: "urn:oid:1.3.6.1.4.1.5923.1.1.1.1",
    external_groups: ["affiliate"],

#5

Ok,
Thank you for that explanation. So it doesn’t feat to what I’m looking for.
I use SAML for users authentication, and I want to grant access to all users authentified with SAML.

Do you know a way to do this without having to put every users in that group manually?


#6

Not needed to add users to a group. By default all SAML-users will have access. Here is an example config:

gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_auto_link_saml_user'] = true
gitlab_rails['omniauth_providers'] = [
  {
    name: 'saml',
    args: {
            assertion_consumer_service_url: 'https://gitlab.example.com/users/auth/saml/callback',
            idp_cert: "-----BEGIN CERTIFICATE-----
<### CERTIFICATE OF YOUR IDP ###>
-----END CERTIFICATE-----",
            idp_sso_target_url: 'https://idp.example.com/idp/profile/SAML2/Redirect/SSO',
            issuer: 'https://gitlab.example.com',
            name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
            certificate: "-----BEGIN CERTIFICATE-----
<### CERTIFICATE OF YOUR GITLAB ###>
-----END CERTIFICATE-----",
            private_key: "-----BEGIN RSA PRIVATE KEY-----
<### PRIVATE KEY OF YOUR GITLAB ###>
-----END RSA PRIVATE KEY-----",
            security: {
                        authn_requests_signed: true,
                        want_assertions_signed: false,
                        digest_method: "XMLSecurity::Document::SHA1",
                        signature_method: "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
                      },
            attribute_service_name: "GitLab",
            request_attributes: [
                                  {
                                    name: "urn:oid:0.9.2342.19200300.100.1.3",
                                    name_format: "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
                                    friendly_name: 'mail'
                                  },
                                  {
                                    name: "urn:oid:2.5.4.4",
                                    name_format: "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
                                    friendly_name: 'sn'
                                  },
                                  {
                                    name: "urn:oid:2.5.4.42",
                                    name_format: "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
                                    friendly_name: 'givenName'
                                  },
                                  {
                                    name: "urn:oid:0.9.2342.19200300.100.1.1",
                                    name_format: "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
                                    friendly_name: 'uid'
                                  },
                                  {
                                    name: "urn:oid:2.5.4.3",
                                    name_format: "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
                                    friendly_name: 'cn'
                                  },
                                  {
                                    name: "urn:oid:1.3.6.1.4.1.5923.1.1.1.1",
                                    name_format: "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
                                    friendly_name: 'eduPersonAffiliation'
                                  }
                                ],
            attribute_statements: {
                                    email: ['mail','email','urn:oid:0.9.2342.19200300.100.1.3'],
                                    name: ['cn','urn:oid:2.5.4.3'],
                                    first_name: ['givenName','urn:oid:2.5.4.42'],
                                    last_name: ['sn','urn:oid:2.5.4.4'],
                                    nickname: ['uid','urn:oid:0.9.2342.19200300.100.1.1'],
                                    groups: ['eduPersonAffiliation','urn:oid:1.3.6.1.4.1.5923.1.1.1.1']
                                  }
          },
    groups_attribute: "urn:oid:1.3.6.1.4.1.5923.1.1.1.1",
    external_groups: ["affiliate"],
    label: 'SAML'
  }
]