Hi,
I’ve added this configuration in the /etc/gitlab/gitlab.rb, but the user must still input the 2FA OTP code after logging in with SAML authentication.
Do you know how to bypass 2FA authentication after the SAML authentication?
gitlab_rails['omniauth_allow_bypass_two_factor'] = ['saml']
gitlab_rails['omniauth_providers'] = [
{
name: 'saml',
args: {
assertion_consumer_service_url: 'https://aaa.bbb.com/users/auth/saml/callback',
idp_cert_fingerprint: 'ah:bc' (…..skip….),
idp_sso_target_url: 'https://login.microsoftonline.com/bsjdgiaodfas/saml2',
idp_slo_target_url: 'https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0',
idp_slo_target_binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
issuer: 'https://aaa.bbb.com ',
name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
attribute_statements: { email: ['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'] },
upstream_two_factor_authn_contexts:
%w(
urn:oasis:names:tc:SAML:2.0:ac:classes:CertificateProtectedTransport
urn:oasis:names:tc:SAML:2.0:ac:classes:SecondFactorOTPSMS
urn:oasis:names:tc:SAML:2.0:ac:classes:SecondFactorIGTOKEN
urn:oasis:names:tc:SAML:2.0:ac:classes:Password
)
},
label: 'Accton Group SSO' # optional label for SAML login button, defaults to "Saml"
}
]