Configuring external groups with SAML OmniAuth Provider

Hi,

I’m trying to configure external groups for SAML OmniAuth Provider as documented at SAML SSO for self-managed GitLab instances | GitLab but it seems not to work. I would like to use the eduPersonAffiliation attribute as groups_attribute, but our IdP returns attribute statements using the URI name format. So I’ve set the groups_attribute to urn:oid:1.3.6.1.4.1.5923.1.1.1.1. Below are all relevant SAML settings used. Users with affiliation “affiliate” should be marked as external user, but nothing happens. No errors are given either.

request_attributes: [
  {
    name: "urn:oid:0.9.2342.19200300.100.1.3",
    name_format: "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
    friendly_name: 'mail'
  },
  {
    name: "urn:oid:2.5.4.4",
    name_format: "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
    friendly_name: 'sn'
  },
  {
    name: "urn:oid:2.5.4.42",
    name_format: "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
    friendly_name: 'givenName'
  },
  {
    name: "urn:oid:0.9.2342.19200300.100.1.1",
    name_format: "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
    friendly_name: 'uid'
  },
  {
    name: "urn:oid:2.5.4.3",
    name_format: "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
    friendly_name: 'cn'
  },
  {
    name: "urn:oid:1.3.6.1.4.1.5923.1.1.1.1",
    name_format: "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
    friendly_name: 'eduPersonAffiliation'
  }
],
attribute_statements: {
    email: ['mail','email','urn:oid:0.9.2342.19200300.100.1.3'],
    name: ['cn','urn:oid:2.5.4.3'],
    first_name: ['givenName','urn:oid:2.5.4.42'],
    last_name: ['sn','urn:oid:2.5.4.4'],
    nickname: ['uid','urn:oid:0.9.2342.19200300.100.1.1'],
    groups: ['eduPersonAffiliation','urn:oid:1.3.6.1.4.1.5923.1.1.1.1']
},
groups_attribute: "urn:oid:1.3.6.1.4.1.5923.1.1.1.1",
external_groups: ["affiliate"]

Somebody knows how to configure external_groups using URI names?

Found the problem. I added the groups_artribute and external_groups to the ‘args’ hash of the saml omniauth_provider config. So it works as expected!

Hello,
I’ve configure the external_groups as described in the documentation but I don’t know how to link this groups with the groups in Gitlab.
Do I have to create them inside Gitlab (already done, but I can’t see the effects)?
Or will the groups be created automatically ?

Thanks in advance for your answer?

Hi,
The external_groups feature doesn’t map to GitLab groups. It’s intended to set the “external user” flag of the user account if the SAML attribute configured in “groups_attribute” contains a group configured in “external_groups”.

For example to create an external user when the SAML eduPersonAffiliation attribute contains the value “affiliate”, you’ll have to configure:

    groups_attribute: "urn:oid:1.3.6.1.4.1.5923.1.1.1.1",
    external_groups: ["affiliate"],

Ok,
Thank you for that explanation. So it doesn’t feat to what I’m looking for.
I use SAML for users authentication, and I want to grant access to all users authentified with SAML.

Do you know a way to do this without having to put every users in that group manually?

Not needed to add users to a group. By default all SAML-users will have access. Here is an example config:

gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_auto_link_saml_user'] = true
gitlab_rails['omniauth_providers'] = [
  {
    name: 'saml',
    args: {
            assertion_consumer_service_url: 'https://gitlab.example.com/users/auth/saml/callback',
            idp_cert: "-----BEGIN CERTIFICATE-----
<### CERTIFICATE OF YOUR IDP ###>
-----END CERTIFICATE-----",
            idp_sso_target_url: 'https://idp.example.com/idp/profile/SAML2/Redirect/SSO',
            issuer: 'https://gitlab.example.com',
            name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
            certificate: "-----BEGIN CERTIFICATE-----
<### CERTIFICATE OF YOUR GITLAB ###>
-----END CERTIFICATE-----",
            private_key: "-----BEGIN RSA PRIVATE KEY-----
<### PRIVATE KEY OF YOUR GITLAB ###>
-----END RSA PRIVATE KEY-----",
            security: {
                        authn_requests_signed: true,
                        want_assertions_signed: false,
                        digest_method: "XMLSecurity::Document::SHA1",
                        signature_method: "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
                      },
            attribute_service_name: "GitLab",
            request_attributes: [
                                  {
                                    name: "urn:oid:0.9.2342.19200300.100.1.3",
                                    name_format: "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
                                    friendly_name: 'mail'
                                  },
                                  {
                                    name: "urn:oid:2.5.4.4",
                                    name_format: "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
                                    friendly_name: 'sn'
                                  },
                                  {
                                    name: "urn:oid:2.5.4.42",
                                    name_format: "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
                                    friendly_name: 'givenName'
                                  },
                                  {
                                    name: "urn:oid:0.9.2342.19200300.100.1.1",
                                    name_format: "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
                                    friendly_name: 'uid'
                                  },
                                  {
                                    name: "urn:oid:2.5.4.3",
                                    name_format: "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
                                    friendly_name: 'cn'
                                  },
                                  {
                                    name: "urn:oid:1.3.6.1.4.1.5923.1.1.1.1",
                                    name_format: "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
                                    friendly_name: 'eduPersonAffiliation'
                                  }
                                ],
            attribute_statements: {
                                    email: ['mail','email','urn:oid:0.9.2342.19200300.100.1.3'],
                                    name: ['cn','urn:oid:2.5.4.3'],
                                    first_name: ['givenName','urn:oid:2.5.4.42'],
                                    last_name: ['sn','urn:oid:2.5.4.4'],
                                    nickname: ['uid','urn:oid:0.9.2342.19200300.100.1.1'],
                                    groups: ['eduPersonAffiliation','urn:oid:1.3.6.1.4.1.5923.1.1.1.1']
                                  }
          },
    groups_attribute: "urn:oid:1.3.6.1.4.1.5923.1.1.1.1",
    external_groups: ["affiliate"],
    label: 'SAML'
  }
]

hey rmoreas!

I’m using ADFS as my IdP.Are you using ADFS as well? I tried to setup this but it is not working. I tried using the same config you have above (not the attribute_service_name and request_attributes) but not sure about the claim to be used in the ADFS side. Do you have something you can share?

Thank you!

Sorry, can’t really help you with that. I’ve no experience with ADFS. You’ll have to find out which attributes are released by your Idp and set your request_attributes and attribute_statements correspondingly.