Implement Smartcard/CAC Authentication in GitLab
Problem we're trying to solve
Add support for Smartcard (CaC) authentication via LDAP.
All major browsers support Smartcard authentication by forwarding the Smartcard certificate to the requested web server.
NGINX can be configured to forward a
ssl_client_certificatefrom an attempted Smartcard authentication
GitLab could retrieve the Smartcard certificate from the request headers and verify this against a certificate stored in Active Directory (via LDAP).
See mediawiki implementation: https://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Smartcard_Configuration_Examples
Adding to this issue to include any kind of access tokens (whether it be Smartcard authentication or PKI-based browser certs).
- Authenticating with a card with a single certificate, mapped to a single user. Create user if not found, or login with existing credentials if found.
- GitLab authentication only, no LDAP in this iteration.
- Omnibus package only.
We'll need additional issues for multi user/cert, LDAP, and other distros.