Skip to content

Investigate LDAP authentication via SmartCard

Description

Before we're able to proceed forward with a path forward on SmartCard auth, we need to clearly identify what we need to do. The end goal: we'd like to be able to offer highly secure organizations the ability to log into a GitLab instance by providing credentials from a CAC SmartCard. At a (very) high level:

  1. A user who wants to log in to their organization's GitLab instance would be presented with an option to log in via SmartCard.
  2. The user is required to enter a PIN, unlocking the SmartCard. This is verified against an authority and matched to a EDIPI number on the card, which serves as a unique user identifier.
  3. The EDIPI is matched against a connected LDAP system, and we fetch the associated user.
  4. We log the user in, or create the user if they don't already exist on the instance.

Proposal

Investigate implementation for CAC/SmartCard authentication. This issue is done when we have an implementation path laid out that we'll use in https://gitlab.com/gitlab-org/gitlab-ee/issues/726.

Open questions

To be enumerated.

Edited by Jeremy Watson (ex-GitLab)