Add LDAP to smart card authentication strategy
Problem to solve
The implementation in https://gitlab.com/gitlab-org/gitlab-ee/issues/726 doesn't authenticate with an LDAP server. We should extend our implementation to include this.
Solution
- Allow a smart card user to authenticate credentials on the card against a configured LDAP server.
- At the login/register screen, we present we extend the form in the LDAP tab and display a new section after a separator:
- Title: 'Sign in using smart card`
- Description: 'Use your smart card to authenticate with the LDAP server. This will redirect you to an external sign in page.' (the word
LDAP
should be changed to match the title of the tab.) - Remember me checkbox (this is the same pattern we use for social SSO in the
Sign in
tab). - Secondary success button: 'Sign in with smart card'.
When the user clickes the button, the browser reads the credentials off the card. The credentials are checked against a configured LDAP server.
- If the credentials exist in LDAP, the user is logged into GitLab.
- If the credentials do not exist or the LDAP server doesn’t respond, present an error.
- Simplest path to configuration is likely by modifying our current configuration schema in
gitlab.rb
and/orgitlab.yml
to allow a specified LDAP server to auth with a smart card. - We should include a setting to remove the ability to login with a username/password for an LDAP configuration (and thus, if configured, force the use of a smart card for a particular LDAP server).
- In the UI, this would mean removing the username/password fields and making the smart card button primary.
Other notes:
- We're using the same assumptions as in our default LDAP setup (“GitLab assumes that LDAP users are not able to change their LDAP ‘mail’, ‘email’ or ‘userPrincipalName’ attribute.”). We'll map against email address.
- This iteration is for logging into the GitLab UI only. See https://gitlab.com/gitlab-org/gitlab-ee/issues/6990 for the next iteration.
- Registration isn't considered; we assume the user exists in LDAP. If not, we'll present an error.
Note the following exceptions from the above mock:
- Label on the second field should read "Password"
- Do not include a "Remember me" option in the Smart card login section of the panel.
- Do not include the "This will redirect you to an external sign in page." text.
What does success look like, and how can we measure that?
(If no way to measure success, link to an issue that will implement a way to measure this)
Resources
- Interactive spec previews
-
smart-card
icon (MR gitlab-svgs!174 (merged) pending merge)
Links / references
Edited by Jeremy Watson (ex-GitLab)