Versions Compared

Old Version 9

changes.mady.by.user Ace, Koo

Saved on

compared with

New Version 10

changes.mady.by.user Ace, Koo

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

참고 사이트 : https://githubedenmal.commoe/post/codejamninja/keycloak-sso-configs/tree/master/gitlab2018/GitLab-Keycloak-SAML-2-0-OmniAuth-Provider/

Table of Contents

Key Cloak

...

  • Name: name

    • Mapper Type: User Property

    • Property: Username

    • Friendly Name: Username

    • SAML Attribute Name: name

    • SAML Attribute NameFormat: Basic

  • Name: email

    • Mapper Type: User Property

    • Property: Email

    • Friendly Name: Email

    • SAML Attribute Name: email

    • SAML Attribute NameFormat: Basic

  • Name: first_name

    • Mapper Type: User Property

    • Property: FirstName

    • Friendly Name: First Name

    • SAML Attribute Name: first_name

    • SAML Attribute NameFormat: Basic

  • Name: last_name

    • Mapper Type: User Property

    • Property: LastName

    • Friendly Name: Last Name

    • SAML Attribute Name: name

    • SAML Attribute NameFormat: Basic

  • Name: roles

    • Mapper Type: Role list

    • Role attribute name: roles

    • Friendly Name: Roles

    • SAML Attribute NameFormat: Basic

    • Single Role Attribute: On

idp Fingerprint 생성

1. Realm Settings > Keys > RSA256 > Certificate 복사 (이병욱 이부분 다시 확인해서 수정 바람)

...

2. https://www.samltool.com/fingerprint.php 접속하여 fingerprint 생성 (fingerprint 생성이 안될때는 https://www.samlcomponent.net/tools/fingerprint.aspx 사이트를 사용해도 무방함)

...

-----BEGIN CERTIFICATE-----로 시작하고 -----END CERTIFICATE-----로 끝나느 형식으로 입력

Gitlab에서 지원하는 알고리즘은 sha1이므로 해당 알고리즘 선택 후 fingerprint 생성

fingerprint 는 GitLab의 gitlab.rb에 등록되어야 함

...

Code Block
languageruby
### OmniAuth Settings
###! Docs: https://docs.gitlab.com/ee/integration/omniauth.html
...
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_auto_link_saml_user'] = true
gitlab_rails['omniauth_providers'] = [
   {
     "name" => "saml",
     "label" => "Get Auth", ###<보여지는 버튼 이름>
     "groups_attribute" => "roles",
     "external_groups" => ['<roles tab에 구성한 external 이름'],
     "args" => {
      assertion_consumer_service_url: '<gitlab url>/users/auth/saml/callback',
      idp_cert_fingerprint: '생성한 fingerprint',
      idp_sso_target_url: '<keycloak url>/auth/realms/<realm 이름>/protocol/saml/clients/<client<client의 이름>id>',
      allowed_clock_drift: 5,
      issuer: '<client 이름>',
      attribute_statements: {
           first_name: ['first_name'],
           last_name: ['last_name'],
           name: ['name'],
           username: ['name'],
           email: ['email'] },
      name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'
      }
  }
]

...