Skip to content

GitLab Next

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
GitLab
GitLab
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Locked Files
  • Issues 35,016
    • Issues 35,016
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
    • Iterations
  • Merge Requests 1,264
    • Merge Requests 1,264
  • Requirements
    • Requirements
    • List
  • CI / CD
    • CI / CD
    • Pipelines
    • Jobs
    • Schedules
    • Test Cases
  • Security & Compliance
    • Security & Compliance
    • Dependency List
    • License Compliance
  • Operations
    • Operations
    • Metrics
    • Incidents
    • Environments
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • CI / CD
    • Code Review
    • Insights
    • Issue
    • Repository
    • Value Stream
  • Snippets
    • Snippets
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
  • GitLab.org
  • GitLabGitLab
  • Issues
  • #7693

Closed
Open
Opened Sep 21, 2018 by Jeremy Watson@jeremy-gl🤠Maintainer

Add LDAP to smart card authentication strategy

Problem to solve

The implementation in https://gitlab.com/gitlab-org/gitlab-ee/issues/726 doesn't authenticate with an LDAP server. We should extend our implementation to include this.

Solution

ldap

  • Allow a smart card user to authenticate credentials on the card against a configured LDAP server.
  • At the login/register screen, we present we extend the form in the LDAP tab and display a new section after a separator:
    • Title: 'Sign in using smart card`
    • Description: 'Use your smart card to authenticate with the LDAP server. This will redirect you to an external sign in page.' (the word LDAP should be changed to match the title of the tab.)
    • Remember me checkbox (this is the same pattern we use for social SSO in the Sign in tab).
    • Secondary success button: 'Sign in with smart card'.

When the user clickes the button, the browser reads the credentials off the card. The credentials are checked against a configured LDAP server.

  • If the credentials exist in LDAP, the user is logged into GitLab.
  • If the credentials do not exist or the LDAP server doesn’t respond, present an error.
  • Simplest path to configuration is likely by modifying our current configuration schema in gitlab.rb and/or gitlab.yml to allow a specified LDAP server to auth with a smart card.
  • We should include a setting to remove the ability to login with a username/password for an LDAP configuration (and thus, if configured, force the use of a smart card for a particular LDAP server).
    • In the UI, this would mean removing the username/password fields and making the smart card button primary.

Other notes:

  • We're using the same assumptions as in our default LDAP setup (“GitLab assumes that LDAP users are not able to change their LDAP ‘mail’, ‘email’ or ‘userPrincipalName’ attribute.”). We'll map against email address.
  • This iteration is for logging into the GitLab UI only. See https://gitlab.com/gitlab-org/gitlab-ee/issues/6990 for the next iteration.
  • Registration isn't considered; we assume the user exists in LDAP. If not, we'll present an error.

Note the following exceptions from the above mock:

  • Label on the second field should read "Password"
  • Do not include a "Remember me" option in the Smart card login section of the panel.
  • Do not include the "This will redirect you to an external sign in page." text.

What does success look like, and how can we measure that?

(If no way to measure success, link to an issue that will implement a way to measure this)

Resources

  • Interactive spec previews
  • smart-card icon (MR gitlab-svgs!174 (merged) pending merge)

Links / references

Edited Jan 05, 2019 by Jeremy Watson
Assignee
Assign to
11.8
Milestone
11.8 (Past due)
Assign milestone
Time tracking
None
Due date
None
Reference: gitlab-org/gitlab#7693