GitLab leverages OmniAuth to allow users to sign in using a variety of sersvices, including (via SAML). To configure this:

  1. Generate a cert and private key by following the instructions at
    openssl req -nodes -x509 -days 365 -newkey rsa:2048 -keyout private.pem -out public.crt
  2. Grab the IDP sandbox signing certificate from and get its fingerprint:
    curl -s \
    | xml sel -N x="" -t -v '(//x:X509Certificate)[1]' \
    | sed '1i\
    ' \
    | sed '$a\
    -----END CERTIFICATE-----
    ' \
    | fold -w 64 \
    | openssl x509 -noout -fingerprint \
    | sed -E 's/.*=//'
  3. Copy the IDP cert fingerprint, generated certificate, and generated private key to the per-enviroment S3 secrets bucket. Name them saml_idp_cert_fingerprint, saml_certificate and saml_private_key, respectively:
    aws s3 cp - "s3://${SECRET_BUCKET}/alpha/saml_private_key" --no-guess-mime-type --content-type="text/plain" --metadata-directive="REPLACE"
  4. With the public cert generated above, and replacing $ENVIRONMENT, configure a test integration at with the following parameters:
    • Issuer: urn:gov:gsa:openidconnect.profiles:sp:sso:login_gov:gitlab_$ENVIRONMENT
    • Return to App URL: 'https://gitlab.$'
    • Identity Assurance Level (IAL): IAL1
    • Attribute_bundle: email
    • Identity Protocol: saml
    • Assertion Consumer Service URL: 'https://gitlab.$'
    • SAML Assertion Encryption: 'aes256-cbc'