expr

如何使用云身份实现内网的GitLab单点SSO

 

如今企业团队内部开发协作,技术开发团队,大家都需要使用 如 GitLab、禅道等等技术协作类应用进行协作。给工作协作提供了便捷的同时也带来了新的问题。内网应用众多,如何统一管理维护,身份统一,简化用户的操作流程也是众多企业所期望解决的问题。


通过 IDaaS 管理企业内网应用,已经成为主流趋势


OneAuth 实现了应用系统的用户、角色和组织的统一化管理,将分布在各种系统中的账号认证、用户管理、组织结构等融合,通过对多源数据进行兼容适配和数据映射,进行身份统一。减少企业在用户管理上的问题、面临多种身份源(钉钉、企业微信、AD、LDAP)的相关成本,减轻各部门账号运维工作,同时也简化了用户操作流程,保证同一用户在不同的应用系统中身份的一致性。


  • 免部署开箱即用,无需繁杂的配置上手即用

  • 满足等级保护等合规的要求

  • 增强安全性方便管理员对用户所有系统资源的访问权限管理与分配

  • 提高员工工作效率,简化应用系统操作过程

  • 统一账号体系和集中认证授权,实现用户快速访问。


以下介绍如何通过 OneAuth 使用 OIDC 配置 GitLab


在 OneAuth 中您可以通过 OIDC 协议,SSO 单点登录 GitLab,大幅度减少用户在登录上所花费的时间。


1.在 OneAuth 中添加 GitLab 应用

登录 OneAuth 管理后台,点击 【创建应用】,选择 【OIDC】,应用类型选择“ Web 应用”,点击下一步。


如下图所示:填写应用的必要信息,其中登录重定向地址为 

http://{gitlab URL}/users/auth/openid_connect/callback

2.在 OneAuth 中授权

点击授权用户选项卡,点击点击需要授权用户的授权按钮。


注:在本示例中,GitLab 使用 docker 安装部署。

打开配置文件

vi /etc/gitlab/gitlab.rb

添加以下配置

gitlab_rails['omniauth_enabled'] = true;gitlab_rails['omniauth_allow_single_sign_on'] = true;gitlab_rails['omniauth_block_auto_created_users'] = false;gitlab_rails['omniauth_auto_link_user'] = ['openid_connect'] # gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'openid_connect';  # 本行被注释,若使用该配置项访问gitlab时将自动跳转到Oneauth进行认证gitlab_rails['omniauth_providers'] = [                                                                                                                      {                                                                                                                                                           name: "openid_connect",                                                                                                                                    label: “OneAuth login”,                                                                        icon: "[https://docs.gitlab.com/assets/images/gitlab-logo.svg](https://docs.gitlab.com/assets/images/gitlab-logo.svg)",                                                                                            args: {                                                                                                                                                      name: "openid_connect",                                                                                                                                    scope: ["openid","profile","email"],                                                                                                                       response_type: "code",                                                                                                                                     issuer: "https://<your-Subdomain>.oneauth.cn/oauth/v1", # 填写在Oneauth注册的租户域名                                                                                                      discovery: true,                                                                                                                                           client_auth_method: "query",                                                                                                                               uid_field: "sub",                                                                                                                                          send_scope_to_token_endpoint: "false",                                                                                                                     client_options: {                                                                                                                                            identifier: “<client_id>”, #client_id 从oneauth管理后台的应用详情页面获取                                                                                                secret: “<client_secret>”,  #client_secret 从oneauth管理后台的应用详情页面获取                                                                                             redirect_uri: "http://<Gitlab-URL>/users/auth/openid_connect/callback"                                                                                     }                                                                                                                                                        }                                                                                                                                                      }                                                                                                                                                         ]


重新加载配置文件

gitlab-ctl reconfigure


3.体验登录

完成以上配置后,访问 GitLab 地址,在 GitLab 页面出现了 OneAuth Login 的按钮

点击 OneAuth Login 的按钮,使用 OneAuth 账号登录 GitLab。

编辑

4.注意事项

  • 账号的必要属性:

  • 在 GitLab 的某些版本中,用户的 given_name 和 family_name 是必须的。因此在通过 OneAuth 登录GitLab时需要确保用户在 OneAuth 中也有该属性 (对应用 OneAuth 的系统属性“姓”、“名”)


转载请注明,谢谢