Authentication by passing HTTP header with username [SEC=UNCLASSIFIED]

Description

From a customer who's operation team has to implement SAML on many applications.

The benefit is that we take all the authentication logic out of the application and it is managed for all applications (not just gitlab) in a single location.

This means that any changes to methods/configuration etc. can all be done on the front end load balancers and in one spot and the applications ‘just work’.

We have implemented SAML for multiple applications (can think of 4 off the top of my head), and every time we do there are specific application ‘quirks’ with the >implementation, many we live with until the application is fixed, or alternatively we work around them with bespoke load balancer rewrites etc. which becomes a >maintenance overhead.

Passing auth in the header allows us to completely manage all authentication aspects outside of the applications and doesn’t require bespoke application >configuration for each new app.

In an enterprise environment this isn’t unusual. When you have the number of apps that we do, and a team specifically in charge of authentication you want them >to be able to manage that from a single point, and update that from a single point if ever required. In a change management process this also means there is no >change required for each application when making changes.

Proposal

Add this as a Premium feature

Links / references

https://gitlab.zendesk.com/agent/tickets/70000

Documentation blurb

(Write the start of the documentation of this feature here, include:

1. Why should someone use it; what's the underlying problem. Unify the authentication for all of the on-premise applications that your operations team is managing, saving you from the overhead of implementing Single Sign On in different applications.
2. What is the solution. Configure SSO authentication on Nginx and let it pass auth in the header to GitLab.
3. How does someone use this Set up GitLab with external Nginx. Follow This Guide to configure auth through Nginx. Add authenticate_through_header = true to gitlab.rb and run a reconfigure for the changes to take effect.