Merge branch 'docs-make-sure-enabling-omniauth' into 'master'

Make it clear that we need to enable omniauth for SAML and Bitbucket See merge request gitlab-org/gitlab-ce!20421

Merge branch 'docs-make-sure-enabling-omniauth' into 'master'
Make it clear that we need to enable omniauth for SAML and Bitbucket See merge request gitlab-org/gitlab-ce!20421
23f03215 · Achilleas Pipinellis · 539e06ef · 91bd69a4 · 23f03215 · 23f03215
Commit 23f03215 authored Jul 06, 2018 by Achilleas Pipinellis
Hide whitespace changes
Inline Side-by-side

Showing with 104 additions and 89 deletions

doc/integration/bitbucket.md doc/integration/bitbucket.md +15 -6

doc/integration/saml.md doc/integration/saml.md +89 -83

No files found.
--- a/doc/integration/bitbucket.md
+++ b/doc/integration/bitbucket.md
 # Integrate your GitLab server with Bitbucket
+NOTE: **Note:**
+You need to [enable OmniAuth](omniauth.md) in order to use this.
 Import projects from Bitbucket.org and login to your GitLab instance with your
 Bitbucket.org account.
@@ -76,13 +79,13 @@ you to use.
    sudo -u git -H editor /home/git/gitlab/config/gitlab.yml
    ```
-1.  Follow the [Initial OmniAuth Configuration](omniauth.md#initial-omniauth-configuration)
-    for initial settings.
 1.  Add the Bitbucket provider configuration:
    For Omnibus packages:
    ```ruby
+    gitlab_rails['omniauth_enabled'] = true
    gitlab_rails['omniauth_providers'] = [
      {
        "name" => "bitbucket",
@@ -96,10 +99,13 @@ you to use.
    For installations from source:
    ```yaml
-    - { name: 'bitbucket',
+    omniauth:
-        app_id: 'BITBUCKET_APP_KEY',
+      enabled: true
-        app_secret: 'BITBUCKET_APP_SECRET',
+      providers:
-        url: 'https://bitbucket.org/' }
+        - { name: 'bitbucket',
+            app_id: 'BITBUCKET_APP_KEY',
+            app_secret: 'BITBUCKET_APP_SECRET',
+            url: 'https://bitbucket.org/' }
    ```
    ---
@@ -121,6 +127,9 @@ well, the user will be returned to GitLab and will be signed in.
 Once the above configuration is set up, you can use Bitbucket to sign into
 GitLab and [start importing your projects][bb-import].
+If you don't want to enable signing in with Bitbucket but just want to import
+projects from Bitbucket, you could [disable it in the admin panel](omniauth.md#enable-or-disable-sign-in-with-an-omniauth-provider-without-disabling-import-sources).
 [init-oauth]: omniauth.md#initial-omniauth-configuration
 [bb-import]: ../workflow/importing/import_projects_from_bitbucket.md
 [bb-old]: https://gitlab.com/gitlab-org/gitlab-ce/blob/8-14-stable/doc/integration/bitbucket.md

--- a/doc/integration/saml.md
+++ b/doc/integration/saml.md
 # SAML OmniAuth Provider
+NOTE: **Note:**
+You need to [enable OmniAuth](omniauth.md) in order to use this.
 GitLab can be configured to act as a SAML 2.0 Service Provider (SP). This allows
 GitLab to consume assertions from a SAML 2.0 Identity Provider (IdP) such as
 Microsoft ADFS to authenticate users.
@@ -15,33 +18,33 @@ in your SAML IdP:
    For omnibus package:
    ```sh
-      sudo editor /etc/gitlab/gitlab.rb
+    sudo editor /etc/gitlab/gitlab.rb
    ```
    For installations from source:
    ```sh
-      cd /home/git/gitlab
+    cd /home/git/gitlab
-      sudo -u git -H editor config/gitlab.yml
+    sudo -u git -H editor config/gitlab.yml
    ```
-1.  See [Initial OmniAuth Configuration](omniauth.md#initial-omniauth-configuration)
-    for initial settings.
 1.  To allow your users to use SAML to sign up without having to manually create
    an account first, don't forget to add the following values to your configuration:
    For omnibus package:
    ```ruby
-      gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
+    gitlab_rails['omniauth_enabled'] = true
-      gitlab_rails['omniauth_block_auto_created_users'] = false
+    gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
+    gitlab_rails['omniauth_block_auto_created_users'] = false
    ```
    For installations from source:
    ```yaml
+    omniauth:
+      enabled: true
      allow_single_sign_on: ["saml"]
      block_auto_created_users: false
    ```
@@ -52,13 +55,13 @@ in your SAML IdP:
    For omnibus package:
    ```ruby
-      gitlab_rails['omniauth_auto_link_saml_user'] = true
+    gitlab_rails['omniauth_auto_link_saml_user'] = true
    ```
    For installations from source:
    ```yaml
-      auto_link_saml_user: true
+    auto_link_saml_user: true
    ```
 1.  Add the provider configuration:
@@ -66,35 +69,37 @@ in your SAML IdP:
    For omnibus package:
    ```ruby
-      gitlab_rails['omniauth_providers'] = [
+    gitlab_rails['omniauth_providers'] = [
-        {
+      {
-          name: 'saml',
+        name: 'saml',
-          args: {
+        args: {
-                   assertion_consumer_service_url: 'https://gitlab.example.com/users/auth/saml/callback',
-                   idp_cert_fingerprint: '43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8',
-                   idp_sso_target_url: 'https://login.example.com/idp',
-                   issuer: 'https://gitlab.example.com',
-                   name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'
-                 },
-          label: 'Company Login' # optional label for SAML login button, defaults to "Saml"
-        }
-      ]
-    ```
-    For installations from source:
-    ```yaml
-      - {
-          name: 'saml',
-          args: {
                 assertion_consumer_service_url: 'https://gitlab.example.com/users/auth/saml/callback',
                 idp_cert_fingerprint: '43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8',
                 idp_sso_target_url: 'https://login.example.com/idp',
                 issuer: 'https://gitlab.example.com',
                 name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'
               },
-          label: 'Company Login' # optional label for SAML login button, defaults to "Saml"
+        label: 'Company Login' # optional label for SAML login button, defaults to "Saml"
-        }
+      }
+    ]
+    ```
+    For installations from source:
+    ```yaml
+    omniauth:
+      providers:
+        - {
+            name: 'saml',
+            args: {
+                   assertion_consumer_service_url: 'https://gitlab.example.com/users/auth/saml/callback',
+                   idp_cert_fingerprint: '43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8',
+                   idp_sso_target_url: 'https://login.example.com/idp',
+                   issuer: 'https://gitlab.example.com',
+                   name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'
+                 },
+            label: 'Company Login' # optional label for SAML login button, defaults to "Saml"
+          }
    ```
 1.  Change the value for `assertion_consumer_service_url` to match the HTTPS endpoint
@@ -140,8 +145,8 @@ This setting is only available on GitLab 8.7 and above.
 SAML login includes support for automatically identifying whether a user should
 be considered an [external](../user/permissions.md) user based on the user's group
 membership in the SAML identity provider. This feature **does not** allow you to
-automatically add users to GitLab [Groups](../user/group/index.md), it simply 
+automatically add users to GitLab [Groups](../user/group/index.md), it simply
-allows you to mark users as External if they are members of certain groups in the 
+allows you to mark users as External if they are members of certain groups in the
 Identity Provider.
 ### Requirements
@@ -189,28 +194,28 @@ If you want some SAML authentication methods to count as 2FA on a per session ba
 1. Edit `/etc/gitlab/gitlab.rb`:
    ```ruby
-      gitlab_rails['omniauth_providers'] = [
+    gitlab_rails['omniauth_providers'] = [
-        {
+      {
-          name: 'saml',
+        name: 'saml',
-          args: {
+        args: {
-                   assertion_consumer_service_url: 'https://gitlab.example.com/users/auth/saml/callback',
+                 assertion_consumer_service_url: 'https://gitlab.example.com/users/auth/saml/callback',
-                   idp_cert_fingerprint: '43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8',
+                 idp_cert_fingerprint: '43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8',
-                   idp_sso_target_url: 'https://login.example.com/idp',
+                 idp_sso_target_url: 'https://login.example.com/idp',
-                   issuer: 'https://gitlab.example.com',
+                 issuer: 'https://gitlab.example.com',
-                   name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
+                 name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
-                   upstream_two_factor_authn_contexts:
+                 upstream_two_factor_authn_contexts:
-                     %w(
+                   %w(
-                       urn:oasis:names:tc:SAML:2.0:ac:classes:CertificateProtectedTransport
+                     urn:oasis:names:tc:SAML:2.0:ac:classes:CertificateProtectedTransport
-                       urn:oasis:names:tc:SAML:2.0:ac:classes:SecondFactorOTPSMS
+                     urn:oasis:names:tc:SAML:2.0:ac:classes:SecondFactorOTPSMS
-                       urn:oasis:names:tc:SAML:2.0:ac:classes:SecondFactorIGTOKEN
+                     urn:oasis:names:tc:SAML:2.0:ac:classes:SecondFactorIGTOKEN
-                     )
+                   )
-                 },
+               },
-          label: 'Company Login' # optional label for SAML login button, defaults to "Saml"
+        label: 'Company Login' # optional label for SAML login button, defaults to "Saml"
-        }
+      }
-      ]
+    ]
    ```
 1. Save the file and [reconfigure][] GitLab for the changes to take effect.
 ---
@@ -218,40 +223,41 @@ If you want some SAML authentication methods to count as 2FA on a per session ba
 **For installations from source:**
 1. Edit `config/gitlab.yml`:
-     ```yaml
+    ```yaml
-          - {
+    omniauth:
-              name: 'saml',
+      providers:
-              args: {
+        - {
-                     assertion_consumer_service_url: 'https://gitlab.example.com/users/auth/saml/callback',
+            name: 'saml',
-                     idp_cert_fingerprint: '43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8',
+            args: {
-                     idp_sso_target_url: 'https://login.example.com/idp',
+                    assertion_consumer_service_url: 'https://gitlab.example.com/users/auth/saml/callback',
-                     issuer: 'https://gitlab.example.com',
+                    idp_cert_fingerprint: '43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8',
-                     name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
+                    idp_sso_target_url: 'https://login.example.com/idp',
-                     upstream_two_factor_authn_contexts:
+                    issuer: 'https://gitlab.example.com',
-                       [
+                    name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
-                         'urn:oasis:names:tc:SAML:2.0:ac:classes:CertificateProtectedTransport',
+                    upstream_two_factor_authn_contexts:
-                         'urn:oasis:names:tc:SAML:2.0:ac:classes:SecondFactorOTPSMS',
+                      [
-                         'urn:oasis:names:tc:SAML:2.0:ac:classes:SecondFactorIGTOKEN'
+                        'urn:oasis:names:tc:SAML:2.0:ac:classes:CertificateProtectedTransport',
-                       ]
+                        'urn:oasis:names:tc:SAML:2.0:ac:classes:SecondFactorOTPSMS',
+                        'urn:oasis:names:tc:SAML:2.0:ac:classes:SecondFactorIGTOKEN'
-                   },
+                      ]
-              label: 'Company Login' # optional label for SAML login button, defaults to "Saml"
+                  },
-            }
+            label: 'Company Login' # optional label for SAML login button, defaults to "Saml"
+          }
    ```
 1. Save the file and [restart GitLab][] for the changes ot take effect
 In addition to the changes in GitLab, make sure that your Idp is returning the
 `AuthnContext`. For example:
 ```xml
-    <saml:AuthnStatement> 
+<saml:AuthnStatement>
-        <saml:AuthnContext> 
+    <saml:AuthnContext>
-            <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:MediumStrongCertificateProtectedTransport</saml:AuthnContextClassRef> 
+        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:MediumStrongCertificateProtectedTransport</saml:AuthnContextClassRef>
-        </saml:AuthnContext>
+    </saml:AuthnContext>
-    </saml:AuthnStatement>
+</saml:AuthnStatement>
 ```
 ## Customization