Implement Smartcard/CAC Authentication in GitLab
Problem we're trying to solve
Add support for Smartcard (CaC) authentication via LDAP.
-
All major browsers support Smartcard authentication by forwarding the Smartcard certificate to the requested web server.
-
NGINX can be configured to forward a
ssl_client_certificate
from an attempted Smartcard authenticationhttp://geocentlabs.com/configure-nginx-for-ssl-with-dod-cac-authentication-on-centos-6-3/
GitLab could retrieve the Smartcard certificate from the request headers and verify this against a certificate stored in Active Directory (via LDAP).
Additional information
See mediawiki implementation: https://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Smartcard_Configuration_Examples
Adding to this issue to include any kind of access tokens (whether it be Smartcard authentication or PKI-based browser certs).
Proposal
First iteration:
- Authenticating with a card with a single certificate, mapped to a single user. Create user if not found, or login with existing credentials if found.
- GitLab authentication only, no LDAP in this iteration.
- Omnibus package only.
We'll need additional issues for multi user/cert, LDAP, and other distros.
//cc @dblessing
ZD: https://gitlab.zendesk.com/agent/tickets/28048
SFDC links:
https://gitlab.my.salesforce.com/0016100000W3JGF?srPos=0&srKp=003
https://gitlab.my.salesforce.com/0016100000SEhmS?srPos=0&srKp=003
https://gitlab.my.salesforce.com/0066100000JadmW
https://gitlab.my.salesforce.com/0066100000JYhNZ
https://gitlab.my.salesforce.com/0066100000LOwJN
https://gitlab.my.salesforce.com/0066100000LNBNL
https://gitlab.my.salesforce.com/0066100000LOkuy