I have been working the past day or so to integrate user authentication using a custom Google SAML application for SSO. The initial setup for this was a breeze and I am able to successfully authenticate any user within my given domain via SAML.
The problem that I am currently having though is that I want to have control over who can/can’t sign into my Gitlab server. In my current position, any user would be able to sign into this server as long as they have an email and password that has been assigned to them under the domain that is linked to the SAML application.
Here is my goal: The only users that can gain access to my Gitlab server may only have access if I (as an admin) create an account for them on there myself. I would obviously set up the given user with the same email address that they would need to use in order to authenticate using the SAML SSO option on the Gitlab sign-in page.
To provide a bit more context, here is my current configuration that I have in place for my SAML authentication:
###! Docs: OmniAuth | GitLab
gitlab_rails[‘omniauth_enabled’] = true
gitlab_rails[‘omniauth_allow_single_sign_on’] = [‘saml’]
gitlab_rails[‘omniauth_sync_email_from_provider’] = ‘saml’
gitlab_rails[‘omniauth_sync_profile_from_provider’] = [‘saml’]
gitlab_rails[‘omniauth_sync_profile_attributes’] = [‘email’]
#gitlab_rails[‘omniauth_auto_sign_in_with_provider’] = ‘saml’
gitlab_rails[‘omniauth_block_auto_created_users’] = false
gitlab_rails[‘omniauth_auto_link_ldap_user’] = false
gitlab_rails[‘omniauth_auto_link_saml_user’] = true
gitlab_rails[‘omniauth_auto_link_user’] = [‘saml’]
gitlab_rails[‘omniauth_external_providers’] = [‘saml’]
#gitlab_rails[‘omniauth_allow_bypass_two_factor’] = [‘google_oauth2’]
My apologies if I am missing something blatantly obvious. I am very new to SAML SSO configuration for Gitlab and I am at a point where I feel that I have hit a wall on this. Any help or input would be greatly appreciated. Thank you.