All Products
Search

This Product

    Identity as a Service:Configure SAML-based SSO for GitLab

    Document Center

    Identity as a Service:Configure SAML-based SSO for GitLab

    Last Updated:Mar 18, 2025

    This topic describes how to configure Security Assertion Markup Language (SAML)-based single sign-on (SSO) for GitLab in the Identity as a Service (IDaaS) console.

    Overview

    GitLab is an open source project used for warehouse management systems. GitLab uses Git as a code management tool to access public or private projects by using a web interface.

    Note

    GitLab supports multiple SSO protocols. In this topic, the SAML protocol is used. For more information about SAML-based SSO, see the documentation of GitLab.

    Procedure

    Step 1: Add an application in IDaaS

    Log on to the IDaaS console as an administrator. On the EIAM page, click the required instance. In the left-side navigation pane, click Applications. On the Applications page, click Add Application to go to the Marketplace tab. Then, search for GitLab SAML and click Add Application. Confirm the application name and click Add. The application is added.

    image.png

    After you add the application, you are automatically redirected to the SSO tab.

    Configure SSO

    image

    Configure the GitLab Service Address parameter. The parameter value cannot end with a forward slash (/).

    Use the default settings for other parameters and click Save. The SSO configuration is complete.

    Note

    Application Username: The default value is IDaaS Username. GitLab supports just-in-time provisioning. If you implement SSO access to GitLab by using a specific application account and the specific application account does not exist in GitLab, GitLab automatically creates an application account. For more information about how to configure application accounts, see the "Application account" section of the Configure SSO topic. Authorize: By default, the Authorize parameter is set to All Users. For more information about how to specify an IDaaS account to access the GitLab application, see the "Application account" section of the Configure SSO topic.

    In the Application Settings section of the Sign-In tab, you can obtain the values of the parameters that are required to configure SSO in GitLab.

    image.png

    Step 2: Configure SSO in GitLab

    Modify the GitLab configuration file in the deployment environment. For more information, see OpenID Connect OmniAuth in GitLab documentation. 

    # If you install GitLab by using Omnibus, run the following command:
sudo editor /etc/gitlab/gitlab.rb

# If you download the GitLab installation package to install GitLab, run the following commands:
cd /home/git/gitlab
sudo -u git -H editor config/gitlab.yml

    Add the following content to the configuration file. The parameter settings are the same as those when you install GitLab by using Omnibus. If you download the GitLab installation package to install GitLab or use Omnibus to install GitLab, the parameter settings are the same, but the names and sequences of specific parameters are different. For more information, see OpenID Connect OmniAuth in GitLab documentation.

    gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_auto_link_saml_user'] = true
gitlab_rails['omniauth_providers']=[
  {
    name: 'saml', 
    args: {
      name: 'saml', 
      assertion_consumer_service_url:'http://gitlab.example.com/users/auth/saml/callback',
      issuer:'http://gitlab.example.com/users/auth/saml',
      idp_cert_fingerprint:'23:f8:77:03:fc:69:4c:da:ac:7e:4a:42:5a:87:5a:b3:ad:a8:d9:df',
      idp_sso_target_url:'https://example.aliyunidaas.com/login/app/app_mivpoqqmz7zrslxcmlyxa25me4/saml2/sso',
      name_identifier_format:'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
      attribute_statements: { 
        nickname: ['username'],
      },
    },
    label:'EIAM2.0'
  }
]

    The values of only a few parameters in the preceding sample code must be changed. The following table describes the parameters.

    Parameter

    Description

    Example

    args.assertion_consumer_service_url

    The Assertion Consumer Service (ACS) URL of GitLab. In most cases, you can append /users/auth/saml/callback to the GitLab endpoint to obtain the URL.

    http://gitlab.example.com/users/auth/saml/c****ack

    args.issuer

    The GitLab identifier. In most cases, you can append /users/auth/saml to the GitLab endpoint to obtain the identifier.

    http://gitlab.****ple.com/users/auth/saml

    args.idp_sso_target_url

    The SSO URL of the identity provider (IdP). You can obtain the SSO URL of the IdP from the Application Settings section of the Sign-In tab in the IDaaS console.

    https://example.aliyunidaas.com/login/app/app_mi****qmz7zrslxcmlyxa25me4/saml2/sso

    args.idp_cert_fingerprint

    The fingerprint of the public key certificate for the IdP. After you download the certificate, check the attributes of the certificate and obtain the Secure Hash Algorithm (SHA)-1 fingerprint of the certificate. The obtained fingerprint information may not be separated with colons (:). In this case, you must manually add colons (:).

    23:f8:77:03:fc:69:4c:da:ac:7e:4a:42:5a:87:5a:b3:ad:a8:d****

    After the configuration is complete, restart GitLab by using one of the following commands: 

    # If you install GitLab by using Omnibus, run the following commands to reload the GitLab configuration file and restart GitLab:
sudo gitlab-ctl reconfigure
sudo gitlab-ctl restart

# If you download the GitLab installation package to install GitLab, run one of the following commands to restart GitLab.
# For systems that run systemd, run the following command to restart GitLab:
sudo systemctl restart gitlab.target

# For systems that run SysV init, run the following command to restart GitLab:
sudo service gitlab restart

    After GitLab is restarted, the Login with AliyunIDaaS button appears at the lower part of the GitLab logon page.

    The SSO configuration is complete.

    Step 3: Test SSO for GitLab

    After you perform the preceding steps, you can test SSO for GitLab.

    In this topic, the SAML protocol is used to enable SSO for GitLab. GitLab supports IdP-initiated SSO and service provider-initiated (SP-initiated) SSO. For IdP-initiated SSO, users initiate the logon on the IDaaS portal page. For SP-initiated SSO, users initiate the logon on the logon page of the GitLab application.

    IdP-initiated SSO

    Log on to the IDaaS portal by using the IDaaS account that is granted permissions to access GitLab. Click the GitLab icon on the page to initiate SSO logon.

    image.png

    SP-initiated SSO

    In an anonymous browser, open the GitLab logon page and click Login with AliyunIDaaS. You are redirected to the IDaaS page for logon. If you did not log on to IDaaS, log on to IDaaS as prompted.

    image.png

    After you pass the authentication, you are redirected to GitLab.