GitLab

Authentication

GitLab leverages OmniAuth to allow users to sign in using a variety of sersvices, including Login.gov (via SAML). To configure this:

1. Generate a cert and private key by following the instructions at https://developers.login.gov/testing/#creating-a-public-certificate:

   openssl req -nodes -x509 -days 365 -newkey rsa:2048 -keyout private.pem -out public.crt
   

2. Grab the IDP sandbox signing certificate from https://developers.login.gov/saml/ and get its fingerprint:

   curl -s https://idp.int.identitysandbox.gov/api/saml/metadata2021 \
   | xml sel -N x="http://www.w3.org/2000/09/xmldsig#" -t -v '(//x:X509Certificate)[1]' \
   | sed '1i\
   -----BEGIN CERTIFICATE-----
   ' \
   | sed '$a\
   -----END CERTIFICATE-----
   ' \
   | fold -w 64 \
   | openssl x509 -noout -fingerprint \
   | sed -E 's/.*=//'
   

3. Copy the IDP cert fingerprint, generated certificate, and generated private key to the per-enviroment S3 secrets bucket. Name them saml_idp_cert_fingerprint, saml_certificate and saml_private_key, respectively:

   aws s3 cp - "s3://${SECRET_BUCKET}/alpha/saml_private_key" --no-guess-mime-type --content-type="text/plain" --metadata-directive="REPLACE"
    [...]
   

4. With the public cert generated above, and replacing $ENVIRONMENT, configure a test integration at http://dashboard.int.identitysandbox.gov with the following parameters:
   • Issuer: urn:gov:gsa:openidconnect.profiles:sp:sso:login_gov:gitlab_$ENVIRONMENT
   • Return to App URL: 'https://gitlab.$ENVIRONMENT.gitlab.identitysandbox.gov'
   • Identity Assurance Level (IAL): IAL1
   • Attribute_bundle: email
   • Identity Protocol: saml
   • Assertion Consumer Service URL: 'https://gitlab.$ENVIRONMENT.gitlab.identitysandbox.gov/users/auth/saml/callback'
   • SAML Assertion Encryption: 'aes256-cbc'