diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-12-21 15:09:04 +0300 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-12-21 15:09:04 +0300 |
| commit | aac38cc2bd884cb979f1bbf7050c3f8692403cf3 (patch) | |
| tree | 42c31b0dc05c63c11ac78171758d02fb9aa7cccf /doc/integration | |
| parent | 47a3dc65512c6eb3f88e6ba6842f58db3f03413c (diff) | |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'doc/integration')
| -rw-r--r-- | doc/integration/saml.md | 32 |
1 files changed, 23 insertions, 9 deletions
diff --git a/doc/integration/saml.md b/doc/integration/saml.md index 26375975214..73f220801bf 100644 --- a/doc/integration/saml.md +++ b/doc/integration/saml.md @@ -808,16 +808,15 @@ assertion encryption and request signing. ## Sign SAML authentication requests (optional) -Another optional configuration is to sign SAML authentication requests. GitLab -SAML Requests use the SAML redirect binding, so this isn't necessary (unlike the -SAML POST binding, where signing is required to prevent intermediaries from -tampering with the requests). +You can configure GitLab to sign SAML authentication requests. This configuration +is optional because GitLab SAML requests use the SAML redirect binding. -To sign, create a private key and public certificate pair for your -GitLab instance to use for SAML. The settings for signing can be set in the -`security` section of the configuration. +To implement signing: -For example: +1. Create a private key and public certificate pair for your GitLab instance to + use for SAML. +1. Configure the signing settings in the `security` section of the configuration. + For example: ```yaml args: { @@ -838,7 +837,22 @@ args: { } ``` -GitLab signs the request with the provided private key. GitLab includes the configured public x500 certificate in the metadata for your Identity Provider to validate the signature of the received request with. For more information on this option, see the [Ruby SAML gem documentation](https://github.com/onelogin/ruby-saml/tree/v1.7.0). The Ruby SAML gem is used by the [OmniAuth SAML gem](https://github.com/omniauth/omniauth-saml) to implement the client side of the SAML authentication. +GitLab then: + +- Signs the request with the provided private key. +- Includes the configured public x500 certificate in the metadata for your IdP + to validate the signature of the received request with. + +For more information on this option, see the +[Ruby SAML gem documentation](https://github.com/onelogin/ruby-saml/tree/v1.7.0). + +The Ruby SAML gem is used by the +[OmniAuth SAML gem](https://github.com/omniauth/omniauth-saml) to implement the +client side of the SAML authentication. + +NOTE: +The SAML redirect binding is different to the SAML POST binding. In the POST binding, +signing is required to prevent intermediaries from tampering with the requests. ## Password generation for users created through SAML |