Shibboleth integration

I managed to integrate Shibboleth authentication without replacing the embedded NGINX with Apache.

To do this, it’s required to compile and install this NGINX module https://github.com/nginx-shib/nginx-http-shibboleth with the correct compiling options (that can be retrieved with /opt/gitlab/embedded/sbin/nginx -V or the path where the GitLab embedded NGINX is installed).

It’s also required that Shibboleth is compiled with FastCGI support enabled.

After that these requirements are satisfied, it’s required to modify two ERB files:

/opt/gitlab/embedded/cookbooks/gitlab/templates/default/nginx.conf.erb
and
/opt/gitlab/embedded/cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb

In the nginx.conf.erb file, the editing start after the line 10, as follow:

7 .
8 .
9 .
10 daemon off;
11
12 <% if node[‘gitlab’][‘gitlab-rails’][‘omniauth_enabled’] %>
13 <% node[‘gitlab’][‘gitlab-rails’][‘omniauth_providers’].each do|provider| %>
14 <% if provider[‘name’] == ‘shibboleth’ %>
15 load_module <%= @shibboleth_module %>;
16 <% break %>
17 <% end %>
18 <% end %>
19 <% end %>
20
21 events {
22 worker_connections <%= @worker_connections %>;
23 }
24
25 http {
26 .
27 .
28 .

In the nginx-gitlab-http.conf.erb file, the editing start after the line 153, as follow:

149 .
150 .
151 .
152 proxy_set_header <%= header[0] %> <%= header[1] %>;
153 <% end %>
154
155 <% if node[‘gitlab’][‘gitlab-rails’][‘omniauth_enabled’] %>
156 <% node[‘gitlab’][‘gitlab-rails’][‘omniauth_providers’].each do|provider| %>
157 <% if provider[‘name’] == ‘shibboleth’ %>
158
159 location = /shibauthorizer {
160 internal;
161 include /opt/gitlab/embedded/conf/fastcgi_params;
162 fastcgi_pass unix:<%= @shibboleth_authorizer_sock %>;
163 }
164
165 location /Shibboleth.sso {
166 include /opt/gitlab/embedded/conf/fastcgi_params;
167 fastcgi_pass unix:<%= @shibboleth_responder_sock %>;
168 }
169
170 location /shibboleth-sp {
171 alias /usr/share/shibboleth/;
172 }
173 location /users/auth/shibboleth {
174 proxy_pass http://<%= node[‘gitlab’][‘unicorn’][‘listen’] %>:<%= node[‘gitlab’][‘unicorn’][‘port’] %>;
175 location = /users/auth/shibboleth/callback {
176 shib_request /shibauthorizer;
177 shib_request_use_headers on;
178 proxy_pass http://<%= node[‘gitlab’][‘unicorn’][‘listen’] %>:<%= node[‘gitlab’][‘unicorn’][‘port’] %>;
179 }
180 }
181 <% break %>
182 <% end %>
183 <% end %>
184 <% end %>
185
186 location ~ (.git/gitlab-lfs/objects|.git/info/lfs/objects/batch$) {

Then in the gitlab.rb config file I added the following lines (pay attention to the HTTP_EPPN attribute. It must reflect the correct entity returned by your Identity Provider. Watch the attribute-map.xml in your shibboleth configuration):

gitlab_rails[‘omniauth_enabled’] = true
gitlab_rails[‘omniauth_allow_single_sign_on’] = true
gitlab_rails[‘omniauth_block_auto_created_users’] = false
gitlab_rails[‘omniauth_providers’] = [
{
“name” => ‘shibboleth’,
“args” => {
“shib_session_id_field” => “HTTP_SHIB_SESSION_ID”,
“shib_application_id_field” => “HTTP_SHIB_APPLICATION_ID”,
“uid_field” => “HTTP_EPPN”,
“name_field” => “HTTP_CN”,
“info_fields” => { “email” => ‘HTTP_MAIL’}
}
}
]

and

nginx[‘shibboleth_module’] = “/usr/lib64/nginx/modules/ngx_http_shibboleth_module.so”
nginx[‘shibboleth_sock’] = “/var/run/shibboleth/shibd.sock”
nginx[‘shibboleth_responder_sock’] = “/var/run/shibboleth/shibresponder.sock”
nginx[‘shibboleth_authorizer_sock’] = “/var/run/shibboleth/shibauthorizer.sock”

For the Shibboleth configuration part it’s required to add these lines:

 <UnixListener address="shibd.sock"/>

 <RequestMapper type="XML">
    <RequestMap>
       <Host name="YOUR_HOSTNAME_HERE"
          authType="shibboleth"
          requireSession="true"
          redirectToSSL="443">
          <Path name="/users/auth/shibboleth/callback" />
       </Host>
    </RequestMap>
</RequestMapper>

Now, you need to install “supervisor” and add the following lines in /etc/supervisord.d/shibboleth.ini:

[fcgi-program:shibauthorizer]
command=/usr/lib64/shibboleth/shibauthorizer
socket=unix:///var/run/shibboleth/shibauthorizer.sock
socket_owner=shibd:shibd
socket_mode=0660
user=shibd
stdout_logfile=/var/log/supervisor/shibauthorizer.log
stderr_logfile=/var/log/supervisor/shibauthorizer.error.log

[fcgi-program:shibresponder]
command=/usr/lib64/shibboleth/shibresponder
socket=unix:///var/run/shibboleth/shibresponder.sock
socket_owner=shibd:shibd
socket_mode=0660
user=shibd
stdout_logfile=/var/log/supervisor/shibresponder.log
stderr_logfile=/var/log/supervisor/shibresponder.error.log

Then start (or restart) the Shibboleth daemon (systemctl start shibd.service) and enable and start the supervisor daemon (“systemctl enable supervisor.service” and “systemctl start supervisor.service”) and start all the supervisor processes with “supervisorctl start all”.

Any suggestions or corrections are welcome!