At work I was trying to integrate shibboleth with with gitlab, with lots of issues. I followed the guide https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/integration/shibboleth.md but it wouldn’t work:
422
Sign-in using shibboleth auth failed
Sign-in failed because name can’t be blank.
There are couple of steps you can take:
- Try logging in using your email
- Try logging in using your username
- If you have forgotten your password, try recovering it using Password recovery
If none of the options work, try contacting the GitLab administrator.
What to do
Let’s start with the config file /etc/gitlab/gitlab.rb. If you have problems the first thing to do is enable debugging
gitlab_rails['omniauth_allow_single_sign_on'] = true
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_providers'] = [
{
"name" => 'shibboleth',
"args" => {
"debug" => "true",
"shib_session_id_field" => "HTTP_SHIB_SESSION_ID",
"shib_application_id_field" => "HTTP_SHIB_APPLICATION_ID",
"uid_field" => 'HTTP_EPPN',
"name_field" => 'HTTP_CN',
"info_fields" => { "email" => 'HTTP_MAIL'}
}
}
]
Don’t forget to run
sudo gitlab-ctl reconfigure
you should get a debug output in the browser where you should be able to see the parameters shibboleth is passing to gitlab. Those three are very important:
- HTTP_EPPN
- HTTP_CN
- HTTP_MAIL
In my case the HTTP_CN was not populated, I have to check why with my shibboleth admin. I decided to use display name instead, so my config file looks like this one
gitlab_rails['omniauth_allow_single_sign_on'] = true
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_providers'] = [
{
"name" => 'shibboleth',
"args" => {
"shib_session_id_field" => "HTTP_SHIB_SESSION_ID",
"shib_application_id_field" => "HTTP_SHIB_APPLICATION_ID",
"uid_field" => 'HTTP_EPPN',
"name_field" => 'HTTP_DISPLAYNAME',
"info_fields" => { "email" => 'HTTP_MAIL'}
}
}
]
Again run
sudo gitlab-ctl reconfigure
and then you should enable Displayname in you apache shibboleth configuration. To do so edit the /etc/shibboleth/attribute-map.xml file and add those lines before the closing tag.
<Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="displayName"/>
<Attribute name="urn:mace:dir:attribute-def:displayName" id="displayName"/>
restart shibboleth
sudo service shibdb restart
and it should work. If you are getting an error saying that the email is not withelisted, remove all domains restrictions for signup in the admin page.
The fact is you need all those three fields to be able to create an account in gitlab. Without name, mail and uid it will miserably fail