Add LDAP to smart card authentication strategy (#7693) · Issues · GitLab.org / GitLab

Add LDAP to smart card authentication strategy

Problem to solve

The implementation in https://gitlab.com/gitlab-org/gitlab-ee/issues/726 doesn't authenticate with an LDAP server. We should extend our implementation to include this.

Solution

Allow a smart card user to authenticate credentials on the card against a configured LDAP server.
At the login/register screen, we present we extend the form in the LDAP tab and display a new section after a separator:
- Title: 'Sign in using smart card`
- Description: 'Use your smart card to authenticate with the LDAP server. This will redirect you to an external sign in page.' (the word LDAP should be changed to match the title of the tab.)
- Remember me checkbox (this is the same pattern we use for social SSO in the Sign in tab).
- Secondary success button: 'Sign in with smart card'.

When the user clickes the button, the browser reads the credentials off the card. The credentials are checked against a configured LDAP server.

If the credentials exist in LDAP, the user is logged into GitLab.
If the credentials do not exist or the LDAP server doesn’t respond, present an error.
Simplest path to configuration is likely by modifying our current configuration schema in gitlab.rb and/or gitlab.yml to allow a specified LDAP server to auth with a smart card.
We should include a setting to remove the ability to login with a username/password for an LDAP configuration (and thus, if configured, force the use of a smart card for a particular LDAP server).
- In the UI, this would mean removing the username/password fields and making the smart card button primary.

Other notes:

We're using the same assumptions as in our default LDAP setup (“GitLab assumes that LDAP users are not able to change their LDAP ‘mail’, ‘email’ or ‘userPrincipalName’ attribute.”). We'll map against email address.
This iteration is for logging into the GitLab UI only. See https://gitlab.com/gitlab-org/gitlab-ee/issues/6990 for the next iteration.
Registration isn't considered; we assume the user exists in LDAP. If not, we'll present an error.

Note the following exceptions from the above mock:

Label on the second field should read "Password"
Do not include a "Remember me" option in the Smart card login section of the panel.
Do not include the "This will redirect you to an external sign in page." text.

What does success look like, and how can we measure that?

(If no way to measure success, link to an issue that will implement a way to measure this)

Resources

Interactive spec previews
smart-card icon (MR gitlab-svgs!174 (merged) pending merge)

Links / references

### Problem to solve

The implementation in https://gitlab.com/gitlab-org/gitlab-ee/issues/726 doesn't authenticate with an LDAP server. We should extend our implementation to include this.

### Solution

![ldap](/uploads/43599b9ca06beea622c7b6e2bc2dd3fb/ldap.png)

* Allow a smart card user to authenticate credentials on the card against a configured LDAP server.
* At the login/register screen, we present we extend the form in the LDAP tab and display a new section after a separator:
  * Title: 'Sign in using smart card`
  * Description: 'Use your smart card to authenticate with the LDAP server. This will redirect you to an external sign in page.' (the word `LDAP` should be changed to match the title of the tab.)
  * Remember me checkbox (this is the same pattern we use for social SSO in the `Sign in` tab).
  * Secondary success button: 'Sign in with smart card'.

When the user clickes the button, the browser reads the credentials off the card. The credentials are checked against a configured LDAP server.
  * If the credentials exist in LDAP, the user is logged into GitLab.
  * If the credentials do not exist or the LDAP server doesn’t respond, present an error.
* Simplest path to configuration is likely by modifying our current configuration schema in `gitlab.rb` and/or `gitlab.yml` to allow a specified LDAP server to auth with a smart card.
* We should include a setting to remove the ability to login with a username/password for an LDAP configuration (and thus, if configured, force the use of a smart card for a particular LDAP server).
  * In the [UI](/uploads/36a7392679dfd8204be0e83be22b9e4d/ldap--only-smart-card.png), this would mean removing the username/password fields and making the smart card button primary.

Other notes:
* We're using the same assumptions as in our default LDAP setup (“GitLab assumes that LDAP users are not able to change their LDAP ‘mail’, ‘email’ or ‘userPrincipalName’ attribute.”). We'll map against email address.
* This iteration is for logging into the GitLab UI only. See https://gitlab.com/gitlab-org/gitlab-ee/issues/6990 for the next iteration.
* Registration isn't considered; we assume the user exists in LDAP. If not, we'll present an error.

*Note the following exceptions from the above mock:*
* Label on the second field should read "Password"
* Do not include a "Remember me" option in the Smart card login section of the panel.
* Do not include the "This will redirect you to an external sign in page." text.

### What does success look like, and how can we measure that?

(If no way to measure success, link to an issue that will implement a way to measure this)

### Resources

- Interactive [spec previews](https://gitlab-org.gitlab.io/gitlab-design/hosted/chris/ee%237693__ldap-smart-card-spec-previews/)
- `smart-card` icon (MR https://gitlab.com/gitlab-org/gitlab-svgs/merge_requests/174 pending merge)

### Links / references

Edited Jan 05, 2019 by Jeremy Watson

Discussion
Designs