Shibboleth integration with docker gitlab-ce 16.8 behind apache 2.4 proxy

How to Use GitLab Self-managed
,
1

I have a problem configuring gitlab authentication with omniauth and shibboleth ( i’m using an old version idp3) . In particular i’m using docker version (20.10.7) with image gitlab/gitlab-ce:16.8.2-ce.0 , with this gitlab.rb configuration:

GITLAB.RB config

external_url 'http://gitlab'

gitlab_rails['internal_api_url'] = 'https://gitlab'
 gitlab_workhorse['listen_network'] = "tcp"
 gitlab_workhorse['listen_addr'] = "0.0.0.0:8181"
gitlab_rails['log_level'] = 'debug'



nginx['enable'] = false
gitlab_rails['omniauth_allow_single_sign_on'] = true
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'shibboleth'
gitlab_rails['omniauth_providers'] = [
  {
    "name"  => "shibboleth",
    "label" => "Text for Login Button",
    "debug" => "true",
    "args"  => {
        "shib_session_id_field"     => "HTTP_SHIB_SESSION_ID",
        "shib_application_id_field" => "HTTP_SHIB_APPLICATION_ID",
        "uid_field"                 => 'HTTP_EPPN',
        "name_field"                => 'HTTP_CN',
        "info_fields"               => { "email" => 'HTTP_MAIL'}
    }
  }
]

Apache(2.4) sp3 config

<VirtualHost *:443>
  SSLEngine on
  SSLProtocol all -SSLv2
  SSLHonorCipherOrder on
  SSLCipherSuite "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"
  Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains"
  SSLCompression Off
   SSLCertificateFile /usr/local/apache2/ssl/server.crt
   SSLCertificateKeyFile /usr/local/apache2/ssl/server.key
   SSLCACertificateFile /usr/local/apache2/ssl/server.crt


   SSLProxyVerify none
   SSLProxyCheckPeerCN off
   SSLProxyCheckPeerName off
   SSLProxyCheckPeerExpire off

  ServerName gitlab
  ServerSignature Off

  ProxyPreserveHost On


  AllowEncodedSlashes NoDecode

  <Location / >
    Require all granted
    ProxyPassReverse http://gitlab:8181
    ProxyPassReverse http://gitlab/
  < /Location>


  <Location /users/auth/shibboleth/callback>
    AuthType shibboleth
    ShibRequestSetting requireSession 1
    ShibUseHeaders On
    Require shib-session
    ProxyPreserveHost On
    ProxyPass https://idp.avvocatura-dev.it/idp/shibboleth
    ProxyPassReverse https://idp.avvocatura-dev.it/idp/shibboleth

  </Location>

  Alias /shibboleth-sp /usr/share/shibboleth

  <Location /shibboleth-sp>
    Require all granted
  < /Location>

  <Location /Shibboleth.sso>
    SetHandler shib
  < /Location>


  RewriteEngine on


  RewriteCond %{HTTP:Upgrade} websocket [NC]
  RewriteCond %{HTTP:Connection} upgrade [NC]
  RewriteRule ^/?(.*) "ws://gitlab:8181/$1" [P,L]


  RewriteCond %{REQUEST_URI} ^/api/v\d+/.* [OR]
  RewriteCond %{REQUEST_URI} .*-/branches/.* [OR]
  RewriteCond %{REQUEST_URI} .*-/refs/.*/logs_tree/.* [OR]
  RewriteCond %{REQUEST_URI} .*-/tree/.*

  RewriteCond %{REQUEST_URI} !/Shibboleth.sso
  RewriteCond %{REQUEST_URI} !/shibboleth-sp

  RewriteRule .* http://gitlab:8181%{REQUEST_URI} [P,QSA,NE]



  RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f [OR]
  RewriteCond %{REQUEST_URI} ^/uploads/.*

  RewriteCond %{REQUEST_URI} !/Shibboleth.sso
 RewriteCond %{REQUEST_URI} !/shibboleth-sp

  RewriteRule .* http://gitlab:8181%{REQUEST_URI} [P,QSA]

  RequestHeader set X_FORWARDED_PROTO 'https'
  RequestHeader set X-Forwarded-Ssl on


  LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common_forwarded



</VirtualHost>

Where https://idp.avvocatura-dev.it/idp/shibboleth is my IDP.

Apache SP and gitlab are in two separate docker containers (i cannot change this) , using the same docker network , so communication it’s not the problem.

Everything works fine for idp authentication , but when i finish to login , i have this error :

git
git1545×903 48 KB

Gitlab logs:

==> /var/log/gitlab/gitlab-rails/application_json.log <==
{"severity":"DEBUG","time":"2024-02-28T14:46:28.223Z","correlation_id":"01HQR2WRHVQ7P7A4P2CXGGFF1F","message":"(shibboleth) Callback phase initiated."}
{"severity":"ERROR","time":"2024-02-28T14:46:28.223Z","correlation_id":"01HQR2WRHVQ7P7A4P2CXGGFF1F","message":"(shibboleth) Authentication failure! no_shibboleth_session encountered."}

==> /var/log/gitlab/gitlab-rails/production_json.log <==
{"method":"GET","path":"/users/auth/shibboleth/callback","format":"html","controller":"OmniauthCallbacksController","action":"failure","status":302,"location":"https://gitlab/users/sign_in","time":"2024-02-28T14:46:28.261Z","params":[],"correlation_id":"01HQR2WRHVQ7P7A4P2CXGGFF1F","meta.caller_id":"OmniauthCallbacksController#failure","meta.remote_ip":"172.20.0.2","meta.feature_category":"system_access","meta.client_id":"ip/172.20.0.2","remote_ip":"172.20.0.2","ua":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36","queue_duration_s":0.06519,"request_urgency":"default","target_duration_s":1,"redis_calls":16,"redis_duration_s":0.014269,"redis_read_bytes":2986,"redis_write_bytes":976,"redis_cache_calls":15,"redis_cache_duration_s":0.013594,"redis_cache_read_bytes":2898,"redis_cache_write_bytes":891,"redis_sessions_calls":1,"redis_sessions_duration_s":0.000675,"redis_sessions_read_bytes":88,"redis_sessions_write_bytes":85,"db_count":1,"db_write_count":0,"db_cached_count":0,"db_replica_count":0,"db_primary_count":1,"db_main_count":1,"db_ci_count":0,"db_main_replica_count":0,"db_ci_replica_count":0,"db_replica_cached_count":0,"db_primary_cached_count":0,"db_main_cached_count":0,"db_ci_cached_count":0,"db_main_replica_cached_count":0,"db_ci_replica_cached_count":0,"db_replica_wal_count":0,"db_primary_wal_count":0,"db_main_wal_count":0,"db_ci_wal_count":0,"db_main_replica_wal_count":0,"db_ci_replica_wal_count":0,"db_replica_wal_cached_count":0,"db_primary_wal_cached_count":0,"db_main_wal_cached_count":0,"db_ci_wal_cached_count":0,"db_main_replica_wal_cached_count":0,"db_ci_replica_wal_cached_count":0,"db_replica_duration_s":0.0,"db_primary_duration_s":0.013,"db_main_duration_s":0.013,"db_ci_duration_s":0.0,"db_main_replica_duration_s":0.0,"db_ci_replica_duration_s":0.0,"cpu_s":0.084369,"mem_objects":17727,"mem_bytes":3434091,"mem_mallocs":6736,"mem_total_bytes":4143171,"pid":815,"worker_id":"puma_2","rate_limiting_gates":[],"db_duration_s":0.0,"view_duration_s":0.0,"duration_s":0.03555}

==> /var/log/gitlab/gitlab-workhorse/current <==
{"content_type":"text/html; charset=utf-8","correlation_id":"01HQR2WRHVQ7P7A4P2CXGGFF1F","duration_ms":113,"host":"gitlab","level":"info","method":"GET","msg":"access","proto":"HTTP/1.1","referrer":"https://idp.avvocatura-dev.it/","remote_addr":"172.20.0.2:46578","remote_ip":"172.20.0.2","route":"","status":302,"system":"http","time":"2024-02-28T14:46:28Z","ttfb_ms":113,"uri":"/users/auth/shibboleth/callback","user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36","written_bytes":94}

==> /var/log/gitlab/gitlab-rails/production_json.log <==
{"method":"GET","path":"/users/sign_in","format":"html","controller":"SessionsController","action":"new","status":200,"time":"2024-02-28T14:46:28.774Z","params":[],"correlation_id":"01HQR2WRNQMBMY9XSERAKP4594","meta.caller_id":"SessionsController#new","meta.remote_ip":"172.20.0.2","meta.feature_category":"system_access","meta.client_id":"ip/172.20.0.2","remote_ip":"172.20.0.2","ua":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36","queue_duration_s":0.014515,"request_urgency":"low","target_duration_s":5,"redis_calls":9,"redis_duration_s":0.009722,"redis_read_bytes":972,"redis_write_bytes":766,"redis_cache_calls":6,"redis_cache_duration_s":0.006616,"redis_cache_read_bytes":825,"redis_cache_write_bytes":594,"redis_sessions_calls":1,"redis_sessions_duration_s":0.001202,"redis_sessions_read_bytes":145,"redis_sessions_write_bytes":85,"redis_shared_state_calls":2,"redis_shared_state_duration_s":0.001904,"redis_shared_state_read_bytes":2,"redis_shared_state_write_bytes":87,"db_count":8,"db_write_count":0,"db_cached_count":2,"db_replica_count":0,"db_primary_count":8,"db_main_count":8,"db_ci_count":0,"db_main_replica_count":0,"db_ci_replica_count":0,"db_replica_cached_count":0,"db_primary_cached_count":2,"db_main_cached_count":2,"db_ci_cached_count":0,"db_main_replica_cached_count":0,"db_ci_replica_cached_count":0,"db_replica_wal_count":0,"db_primary_wal_count":0,"db_main_wal_count":0,"db_ci_wal_count":0,"db_main_replica_wal_count":0,"db_ci_replica_wal_count":0,"db_replica_wal_cached_count":0,"db_primary_wal_cached_count":0,"db_main_wal_cached_count":0,"db_ci_wal_cached_count":0,"db_main_replica_wal_cached_count":0,"db_ci_replica_wal_cached_count":0,"db_replica_duration_s":0.0,"db_primary_duration_s":0.021,"db_main_duration_s":0.021,"db_ci_duration_s":0.0,"db_main_replica_duration_s":0.0,"db_ci_replica_duration_s":0.0,"cpu_s":0.444435,"mem_objects":230656,"mem_bytes":24184656,"mem_mallocs":91479,"mem_total_bytes":33410896,"pid":812,"worker_id":"puma_1","rate_limiting_gates":[],"db_duration_s":0.0275,"view_duration_s":0.41079,"duration_s":0.47188}

I didn’t see any error on logs from apache SP or shibboleth IDP.

I reach this configuration using this guide

I’m expecting to enter gitlab ,after login , the error show in the image, probably i’m missing something.
What should i do ?

Thanks .