Disable SAML and login as root

apbran · February 7, 2023, 9:45am

We have a backup of a gitlab CE 13.12.12 instance which we want to demise.

The backup needs to be kept as an archive so I need to prove that we can recover the code from the backup in the future should we need to do so.

I have created a docker instance on my laptop of the same version, created a couple of local users and then recovered the code to the instance from the backup file. However it doesn’t start correctly and allow logins unless I replace the original /etc/gitlab/gitlab.rb and /etc/gitlab/gitlab-secrets.json which I expected from the restore documentation.

The original gitlab used SAML authentication via keycloak which will also soon be demised so how do we enable logins using local users. If I set omniauth_enabled to false we get the message “No authentication methods configured.” So far my reading of the omniauth documentation is not giving me the answer nor are my tinkering or comparing the pre and post restore gitlab.rb files.

iwalker · February 7, 2023, 10:20am

The Gitlab backup/restore process doesn’t restore gitlab.rb or gitlab-secrets.json - you have to put these in place manually. Basically it then means:

Install Gitlab
Restore gitlab.rb and gitlab-secrets.json to /etc/gitlab.
Run gitlab-ctl reconfigure to get a basic empty instance running.
Restore backup.
Reconfigure/restart Gitlab.

apbran · February 7, 2023, 11:10am

Thank you for your reply.
Yes I have done that and it then tries to use the SAML authentication which is in the gitlab.rb file.

Now I need a step to modify gitlab.rb so that I can login without SAML trying to hand off the authentication to keycloak.

This is what is there at the moment with a few redactions.

### OmniAuth Settings
###! Docs: OmniAuth | GitLab
gitlab_rails[‘omniauth_enabled’] = ‘true’
gitlab_rails[‘omniauth_allow_single_sign_on’] = [‘saml’]
# gitlab_rails[‘omniauth_sync_email_from_provider’] = ‘saml’
gitlab_rails[‘omniauth_sync_profile_from_provider’] = [‘saml’]
# gitlab_rails[‘omniauth_sync_profile_attributes’] = [‘email’]
# gitlab_rails[‘omniauth_auto_sign_in_with_provider’] = ‘saml’
gitlab_rails[‘omniauth_block_auto_created_users’] = ‘false’
gitlab_rails[‘omniauth_auto_link_saml_user’] = ‘true’
gitlab_rails[‘omniauth_external_providers’] = [‘saml’]
gitlab_rails[‘omniauth_providers’] = [
{
“name” => “saml”,
“label” => “MY SSO”,
“args” => {
“assertion_consumer_service_url” => “https://gitlab.XXX.XXX/users/auth/saml/callback”,
“idp_cert_fingerprint” => “5B:94:40:35:73:DC:C0:37:5B:ED:00:F2:8B:D5:73:57:DE:AD:ED:06”,
“idp_sso_target_url” => “https://sso.XXX.XXX.XXX.XXX/auth/realms/bx/protocol/saml”,
“issuer” => “xxx-gitlab”,
“name_identifier_format” => “urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified”,
attribute_statements: {
email: [‘urn:oid:1.2.840.113549.1.9.1’],
first_name: [‘urn:oid:2.5.4.42’],
last_name: [‘urn:oid:2.5.4.4’]
}
}
}
]

apbran · February 7, 2023, 11:15am

Thank you for your reply.
That’s the steps that I have followed.

What I need now is another step to edit gitlab.rb to stop it trying to hand off the authentication to the SAML provider.

Here is what is in the gitlab.rb for authentication at the moment.

### OmniAuth Settings
###! Docs: OmniAuth | GitLab
gitlab_rails[‘omniauth_enabled’] = ‘true’
gitlab_rails[‘omniauth_allow_single_sign_on’] = [‘saml’, ‘google_oauth2’]
# gitlab_rails[‘omniauth_sync_email_from_provider’] = ‘saml’
gitlab_rails[‘omniauth_sync_profile_from_provider’] = [‘saml’]
# gitlab_rails[‘omniauth_sync_profile_attributes’] = [‘email’]
# gitlab_rails[‘omniauth_auto_sign_in_with_provider’] = ‘saml’
gitlab_rails[‘omniauth_block_auto_created_users’] = ‘false’
gitlab_rails[‘omniauth_auto_link_saml_user’] = ‘true’
gitlab_rails[‘omniauth_external_providers’] = [‘saml’]
gitlab_rails[‘omniauth_providers’] = [
{
“name” => “saml”,
“label” => “SSO”,
“args” => {
“assertion_consumer_service_url” => “https://gitlab.xxx.xxx/users/auth/saml/callback”,
“idp_cert_fingerprint” => “5B:94:40:35:73:DC:C0:37:5B:ED:00:F2:8B:D5:73:57:DE:AD:ED:06”,
“idp_sso_target_url” => “https://sso.xxx.xxxx.xxx.xxx.xx/auth/realms/xx/protocol/saml”,
“issuer” => “ldn-gitlab”,
“name_identifier_format” => “urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified”,
attribute_statements: {
email: [‘urn:oid:1.2.840.113549.1.9.1’],
first_name: [‘urn:oid:2.5.4.42’],
last_name: [‘urn:oid:2.5.4.4’]
}
}
}
]

iwalker · February 7, 2023, 11:17am

You could probably disable it:

gitlab_rails[‘omniauth_enabled’] = ‘true’

and change to false? That said, not entirely sure then if you’ll be able to login at all or not, or whether it will use cached credentials.

apbran · February 7, 2023, 11:18am

omniauth_enabled = false
results in a message saying “No authentication methods configured.”

All the omniauth providers seem to hand it off to somewhere else and the plain vanilla gitlab.rb appears to have everything commented out but doesn’t work after the restore.

iwalker · February 7, 2023, 12:34pm

Sounds like they’ll somehow need to be converted/imported. From a quick google it’s possible to do that for LDAP users, but haven’t found anything relating to oauth/omniauth to be able to do a similar thing.

You could see what’s available by logging into it as local root/admin user after restore and see what the user list looks like and see if there is any option in there. If you cannot login as root, then you can reset the password using the procedure here: Reset a user's password | GitLab

apbran · February 8, 2023, 8:53am

The big problem is that after the restore we only have a button to login using SAML. We don’t get username and password textfields displayed at all.

apbran · February 20, 2023, 4:26pm

We don’t want to import the users as that is being demised and the purpose of the backup is only as an archive.
Does anyone have some ideas that I can try please?