GitLab and Shibboleth

At work I was trying to integrate shibboleth with with gitlab, with lots of issues. I followed the guide https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/integration/shibboleth.md but it wouldn’t work:

 

422

Sign-in using shibboleth auth failed


Sign-in failed because name can’t be blank.

There are couple of steps you can take:

  • Try logging in using your email
  • Try logging in using your username
  • If you have forgotten your password, try recovering it using Password recovery

If none of the options work, try contacting the GitLab administrator.

 

What to do

Let’s start with the config file /etc/gitlab/gitlab.rb. If you have problems the first thing to do is enable debugging

gitlab_rails['omniauth_allow_single_sign_on'] = true
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_providers'] = [
  {
    "name" => 'shibboleth',
        "args" => {
        "debug" => "true",
        "shib_session_id_field" => "HTTP_SHIB_SESSION_ID",
        "shib_application_id_field" => "HTTP_SHIB_APPLICATION_ID",
        "uid_field" => 'HTTP_EPPN',
        "name_field" => 'HTTP_CN',
        "info_fields" => { "email" => 'HTTP_MAIL'}
        }
  }
]

Don’t forget to run

sudo gitlab-ctl reconfigure

you should get a debug output in the browser where you should be able to see the parameters shibboleth is passing to gitlab. Those three are very important:

  • HTTP_EPPN
  • HTTP_CN
  • HTTP_MAIL

In my case the HTTP_CN was not populated, I have to check why with my shibboleth admin. I decided to use display name instead, so my config file looks like this one

gitlab_rails['omniauth_allow_single_sign_on'] = true
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_providers'] = [
  {
    "name" => 'shibboleth',
        "args" => {
        "shib_session_id_field" => "HTTP_SHIB_SESSION_ID",
        "shib_application_id_field" => "HTTP_SHIB_APPLICATION_ID",
        "uid_field" => 'HTTP_EPPN',
        "name_field" => 'HTTP_DISPLAYNAME',
        "info_fields" => { "email" => 'HTTP_MAIL'}
        }
  }
]

Again run

sudo gitlab-ctl reconfigure

and then you should enable Displayname in you apache shibboleth configuration. To do so edit the /etc/shibboleth/attribute-map.xml file and add those lines before the closing tag.

<Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="displayName"/>
<Attribute name="urn:mace:dir:attribute-def:displayName" id="displayName"/>

restart shibboleth

sudo service shibdb restart

and it should work. If you are getting an error saying that the email is not withelisted, remove all domains restrictions for signup in the admin page.

The fact is you need all those three fields to be able to create an account in gitlab. Without name, mail and uid it will miserably fail