Investigate LDAP authentication via SmartCard
Description
Before we're able to proceed forward with a path forward on SmartCard auth, we need to clearly identify what we need to do. The end goal: we'd like to be able to offer highly secure organizations the ability to log into a GitLab instance by providing credentials from a CAC SmartCard. At a (very) high level:
- A user who wants to log in to their organization's GitLab instance would be presented with an option to log in via SmartCard.
- The user is required to enter a PIN, unlocking the SmartCard. This is verified against an authority and matched to a EDIPI number on the card, which serves as a unique user identifier.
- The EDIPI is matched against a connected LDAP system, and we fetch the associated user.
- We log the user in, or create the user if they don't already exist on the instance.
Proposal
Investigate implementation for CAC/SmartCard authentication. This issue is done when we have an implementation path laid out that we'll use in https://gitlab.com/gitlab-org/gitlab-ee/issues/726.
Open questions
To be enumerated.
Edited by Jeremy Watson (ex-GitLab)