Online Help

SafeNet Trusted Access for GitLab

Overview

Configuring SafeNet Trusted Access for GitLab is a three-step process:

1.GitLab setup

2.SafeNet Trusted Access setup

3.Verify Authentication

GitLab Setup

As a prerequisite, obtain the certificate fingerprint from the Identity Provider certificate. To obtain the certificate fingerprint, download the Identity Provider Certificate from the SafeNet Trusted Access console by clicking the Download X.509 certificate button. Next, perform the following step:

Open the certificate.
On the Details tab, from the Thumbprint field, copy the certificate fingerprint.

Perform the following steps to configure SafeNet Trusted Access as your Identity Provider in GitLab for Omnibus installations:

1.On your GitLab server, run the sudo <editor> /etc/gitlab/gitlab.rb command to open configuration file of GitLab.

2.In the gitlab.rb file, under Configuration Settings for GitLab CE and EE > gitlab.yml configuration, search for OmniAuth Settings.

3.In the OmniAuth Settings, searched in the previous step, perform the following steps:

a. Search for gitlab_rails[‘omniauth_enabled’] line and uncomment it. Modify its value to gitlab_rails[‘omniauth_enabled’] = true

b.Search for gitlab_rails[‘omniauth_allow_single_sign_on’] = [‘saml’] line and uncomment it.

c.Search for gitlab_rails[‘omniauth_auto_link_saml_user'] line and uncomment it. Modify its value to gitlab_rails[‘omniauth_auto_link_saml_user'] = true

d.Search for gitlab_rails[‘omniauth_providers’] line and replace its value to

gitlab_rails[‘omniauth_providers’] = [

{

name: ‘saml’,

args: {

assertion_consumer_service_url: ‘<ACS URL>’,

idp_cert_fingerprint: ‘<IdP certificate fingerprint>’,

idp_sso_target_url: ‘<SingleSignOn URL>’,

issuer: ‘<Issuer Name>’,

name_identifier_format: ‘urn:oasis:names:tc:SAML:2.0:nameid-format:persistent’,

},

label: ‘<Label name>’

}

]

Refer, the table below to know about ACS URL, IdP certificate fingerprint, SingleSignOn URL, Issuer Name, and Label name parameters:

Parameter Description and Value
ACS URL Enter the HTTPS URL of your <hostname>. Here, hostname is the organization hostname registered in GitLab, and append users/auth/saml/callback

For example, https://<hostname>/users/auth/saml/callback
IdP certificate fingerprint Enter the certificate fingerprint of SafeNet Trusted Access, you obtained from the Identity Provider certificate.

For example, e3:f1:16:b3:91:e8:ca:86:61:fb:0a:15:cd:6b:8d:56:eb:bc:56:23
SingleSignOn URL Enter the SingleSignOnService URL, provided on the SafeNet Trusted Access console. You can copy this URL by clicking the Copy to Clipboard icon , next to SINGLESIGNONSERVICE field.
Issuer Name Enter a unique name which will identify GitLab to SafeNet Trusted Access.

For example, https://<hostname>. Here, hostname is the organization hostname registered in GitLab.
Label Name Enter a label of your choice for the SAML login button.

For example: SafeNet IDP

e.Save the above configuration and close the gitlab.rb file.

4.On your GitLab server, run the sudo gitlab-ctl reconfigure command to reconfigure GitLab for the above changes.

Obtaining Metadata

In a web browser, open the following URL to obtain the GitLab metadata:

https://<hostname>/users/auth/saml/metadata
Here, hostname is the organization hostname registered in GitLab.

Copy and save this metadata on your local machine with the .xml extension (for example, metadata.xml).

SafeNet Trusted Access Setup

After completing the first step of configuring SafeNet Trusted Access in GitLab, the second step is to activate the GitLab application in SafeNet Trusted Access by performing the following steps:

1.In the Applications pane, you will notice that the GitLab application, you added earlier is currently in inactive state by default. To configure and activate this application, click the application (for example, GitLab) and proceed to the next step.

2.Under STA Setup, click Upload GitLab Metadata.

3.On the Metadata upload window, click Browse to search and select GitLab metadata, you saved in Obtaining Metadata.

4.Under Account Details, the service provider metadata information is displayed.

5.Click Save Configuration to save the details and activate the GitLab application in SafeNet Trusted Access.

Verify Authentication

Using STA Console

Navigate to the GitLab login URL (For example, https://<hostname>). At the bottom, click <Label Name> (For example, SafeNet IDP), you will be redirected to the SafeNet Trusted Access sign-in page. Enter your primary directory login information, approve the two-factor authentication, and you should be redirected to the GitLab application after authentication.

Using STA User Portal

Navigate to the User Portal URL to log in to the STA User Portal dashboard. On the dashboard, you will see a list of applications to which you have access. Click on the GitLab application icon, you should be redirected to the GitLab application after authentication.

© 2018 SafeNet Trusted Access. Various trademarks held by their respective owners.