diff options
Diffstat (limited to 'doc/administration/auth')
| -rw-r--r-- | doc/administration/auth/authentiq.md | 2 | ||||
| -rw-r--r-- | doc/administration/auth/cognito.md | 10 | ||||
| -rw-r--r-- | doc/administration/auth/index.md | 25 | ||||
| -rw-r--r-- | doc/administration/auth/jwt.md | 2 | ||||
| -rw-r--r-- | doc/administration/auth/ldap/google_secure_ldap.md | 10 | ||||
| -rw-r--r-- | doc/administration/auth/ldap/index.md | 2 | ||||
| -rw-r--r-- | doc/administration/auth/ldap/ldap-troubleshooting.md | 4 | ||||
| -rw-r--r-- | doc/administration/auth/oidc.md | 2 | ||||
| -rw-r--r-- | doc/administration/auth/smartcard.md | 6 |
9 files changed, 26 insertions, 37 deletions
diff --git a/doc/administration/auth/authentiq.md b/doc/administration/auth/authentiq.md index a4a085a494c..61ce2b5ab25 100644 --- a/doc/administration/auth/authentiq.md +++ b/doc/administration/auth/authentiq.md @@ -69,7 +69,7 @@ Authentiq generates a Client ID and the accompanying Client Secret for you to us 1. [Reconfigure](../restart_gitlab.md#omnibus-gitlab-reconfigure) or [restart GitLab](../restart_gitlab.md#installations-from-source) for the changes to take effect if you installed GitLab via Omnibus or from source respectively. -On the sign in page there should now be an Authentiq icon below the regular sign in form. Click the +On the sign in page there should now be an Authentiq icon below the regular sign in form. Select the icon to begin the authentication process. If the user: - Has the Authentiq ID app installed in their iOS or Android device, they can: diff --git a/doc/administration/auth/cognito.md b/doc/administration/auth/cognito.md index 66f8407894c..db8cdd3e7bb 100644 --- a/doc/administration/auth/cognito.md +++ b/doc/administration/auth/cognito.md @@ -18,13 +18,13 @@ The following steps enable AWS Cognito as an authentication provider: 1. Sign in to the [AWS console](https://console.aws.amazon.com/console/home). 1. Select **Cognito** from the **Services** menu. -1. Select **Manage User Pools**, and click the **Create a user pool** button in the top right corner. -1. Enter the pool name and then click the **Step through settings** button. +1. Select **Manage User Pools**, and select the **Create a user pool** button in the top right corner. +1. Enter the pool name and then select the **Step through settings** button. 1. Under **How do you want your end users to sign in?**, select **Email address or phone number** and **Allow email addresses**. 1. Under **Which standard attributes do you want to require?**, select **email**. 1. Go to the next steps of configuration and set the rest of the settings to suit your needs - in the basic setup they are not related to GitLab configuration. -1. In the **App clients** settings, click **Add an app client**, add **App client name** and select the **Enable username password based authentication** checkbox. -1. Click **Create app client**. +1. In the **App clients** settings, select **Add an app client**, add **App client name** and select the **Enable username password based authentication** checkbox. +1. Select **Create app client**. 1. In the next step, you can set up AWS Lambda functions for sending emails. You can then finish creating the pool. 1. After creating the user pool, go to **App client settings** and provide the required information: @@ -85,7 +85,7 @@ Include the code block in the `/etc/gitlab/gitlab.rb` file: 1. Save the file and [reconfigure](../restart_gitlab.md#omnibus-gitlab-reconfigure) GitLab for the changes to take effect. Your sign-in page should now display a Cognito button below the regular sign-in form. -To begin the authentication process, click the icon, and AWS Cognito asks the user to sign in and authorize the GitLab application. +To begin the authentication process, select the icon, and AWS Cognito asks the user to sign in and authorize the GitLab application. If successful, the user is redirected and signed in to your GitLab instance. For more information, see [Configure initial settings](../../integration/omniauth.md#configure-initial-settings). diff --git a/doc/administration/auth/index.md b/doc/administration/auth/index.md index fca4f163075..ad8d78fdfd6 100644 --- a/doc/administration/auth/index.md +++ b/doc/administration/auth/index.md @@ -8,31 +8,14 @@ info: To determine the technical writer assigned to the Stage/Group associated w # GitLab authentication and authorization **(FREE SELF)** -GitLab integrates with the following external authentication and authorization -providers: - -- [Atlassian](atlassian.md) -- [Auth0](../../integration/auth0.md) -- [Authentiq](authentiq.md) -- [AWS Cognito](cognito.md) -- [Azure](../../integration/azure.md) -- [Bitbucket Cloud](../../integration/bitbucket.md) -- [CAS](../../integration/cas.md) -- [Crowd](crowd.md) -- [Facebook](../../integration/facebook.md) -- [GitHub](../../integration/github.md) -- [GitLab.com](../../integration/gitlab.md) -- [Google OAuth](../../integration/google.md) -- [JWT](jwt.md) -- [Kerberos](../../integration/kerberos.md) +GitLab integrates with a number of [OmniAuth providers](../../integration/omniauth.md#supported-providers), +and the following external authentication and authorization providers: + - [LDAP](ldap/index.md): Includes Active Directory, Apple Open Directory, Open LDAP, and 389 Server. - [Google Secure LDAP](ldap/google_secure_ldap.md) -- [Salesforce](../../integration/salesforce.md) -- [SAML](../../integration/saml.md) - [SAML for GitLab.com groups](../../user/group/saml_sso/index.md) **(PREMIUM SAAS)** - [Smartcard](smartcard.md) **(PREMIUM SELF)** -- [Twitter](../../integration/twitter.md) NOTE: UltraAuth has removed their software which supports OmniAuth integration. We have therefore removed all references to UltraAuth integration. @@ -47,7 +30,7 @@ For more information, see the links shown on this page for each external provide | **User Provisioning** | SCIM<br>Just-In-Time (JIT) Provisioning | LDAP Sync | | **User Detail Updating** (not group management) | Not Available | LDAP Sync | | **Authentication** | SAML at top-level group (1 provider) | LDAP (multiple providers)<br>Generic OAuth2<br>SAML (only 1 permitted per unique provider)<br>Kerberos<br>JWT<br>Smartcard<br>OmniAuth Providers (only 1 permitted per unique provider) | -| **Provider-to-GitLab Role Sync** | SAML Group Sync | LDAP Group Sync | +| **Provider-to-GitLab Role Sync** | SAML Group Sync | LDAP Group Sync<br>SAML Group Sync ([GitLab 15.1](https://gitlab.com/gitlab-org/gitlab/-/issues/285150) and later) | | **User Removal** | SCIM (remove user from top-level group) | LDAP (Blocking User from Instance) | ## Change apps or configuration diff --git a/doc/administration/auth/jwt.md b/doc/administration/auth/jwt.md index 98f928fd7ee..99cba3f220d 100644 --- a/doc/administration/auth/jwt.md +++ b/doc/administration/auth/jwt.md @@ -74,7 +74,7 @@ JWT provides you with a secret key for you to use. installed GitLab via Omnibus or from source respectively. On the sign in page there should now be a JWT icon below the regular sign in form. -Click the icon to begin the authentication process. JWT asks the user to +Select the icon to begin the authentication process. JWT asks the user to sign in and authorize the GitLab application. If everything goes well, the user is redirected to GitLab and signed in. diff --git a/doc/administration/auth/ldap/google_secure_ldap.md b/doc/administration/auth/ldap/google_secure_ldap.md index 10745c5e2bf..7f399f7e730 100644 --- a/doc/administration/auth/ldap/google_secure_ldap.md +++ b/doc/administration/auth/ldap/google_secure_ldap.md @@ -26,7 +26,7 @@ The steps below cover: 1. Provide an `LDAP client name` and an optional `Description`. Any descriptive values are acceptable. For example, the name could be 'GitLab' and the - description could be 'GitLab LDAP Client'. Click the **Continue** button. + description could be 'GitLab LDAP Client'. Select the **Continue** button.  @@ -42,15 +42,15 @@ The steps below cover: 1. Download the generated certificate. This is required for GitLab to communicate with the Google Secure LDAP service. Save the downloaded certificates - for later use. After downloading, click the **Continue to Client Details** button. + for later use. After downloading, select the **Continue to Client Details** button. 1. Expand the **Service Status** section and turn the LDAP client 'ON for everyone'. - After selecting 'Save', click on the 'Service Status' bar again to collapse + After selecting 'Save', select the 'Service Status' bar again to collapse and return to the rest of the settings. 1. Expand the **Authentication** section and choose 'Generate New Credentials'. - Copy/note these credentials for later use. After selecting 'Close', click - on the 'Authentication' bar again to collapse and return to the rest of the settings. + Copy/note these credentials for later use. After selecting 'Close', select + the 'Authentication' bar again to collapse and return to the rest of the settings. Now the Google Secure LDAP Client configuration is finished. The screenshot below shows an example of the final settings. Continue on to configure GitLab. diff --git a/doc/administration/auth/ldap/index.md b/doc/administration/auth/ldap/index.md index 9232e79b800..55b57193bf3 100644 --- a/doc/administration/auth/ldap/index.md +++ b/doc/administration/auth/ldap/index.md @@ -169,7 +169,7 @@ These configuration settings are available: | `host` | IP address or domain name of your LDAP server. Ignored when `hosts` is defined. | **{check-circle}** Yes | `'ldap.mydomain.com'` | | `port` | The port to connect with on your LDAP server. Always an integer, not a string. Ignored when `hosts` is defined. | **{check-circle}** Yes | `389` or `636` (for SSL) | | `hosts` (GitLab 14.7 and later) | An array of host and port pairs to open connections. | **{dotted-circle}** No | `[['ldap1.mydomain.com', 636], ['ldap2.mydomain.com', 636]]` | -| `uid` | LDAP attribute for username. Should be the attribute, not the value that maps to the `uid`. | **{check-circle}** Yes | `'sAMAccountName'` or `'uid'` or `'userPrincipalName'` | +| `uid` | The LDAP attribute that maps to the username that users use to sign in. Should be the attribute, not the value that maps to the `uid`. Does not affect the GitLab username (see [attributes section](#attribute-configuration-settings)). | **{check-circle}** Yes | `'sAMAccountName'` or `'uid'` or `'userPrincipalName'` | | `bind_dn` | The full DN of the user you bind with. | **{dotted-circle}** No | `'america\momo'` or `'CN=Gitlab,OU=Users,DC=domain,DC=com'` | | `password` | The password of the bind user. | **{dotted-circle}** No | `'your_great_password'` | | `encryption` | Encryption method. The `method` key is deprecated in favor of `encryption`. | **{check-circle}** Yes | `'start_tls'` or `'simple_tls'` or `'plain'` | diff --git a/doc/administration/auth/ldap/ldap-troubleshooting.md b/doc/administration/auth/ldap/ldap-troubleshooting.md index 5c5d5aaffe8..c7572ec0a18 100644 --- a/doc/administration/auth/ldap/ldap-troubleshooting.md +++ b/doc/administration/auth/ldap/ldap-troubleshooting.md @@ -88,7 +88,7 @@ options = { # :filter is optional # This filter includes OID 1.2.840.113556.1.4.1941 - # It will search for all direct and nested members of the group gitlab_grp in the LDAP directory + # It will search for all direct and nested members of the group gitlab_grp in the LDAP directory filter: Net::LDAP::Filter.construct("(memberOf:1.2.840.113556.1.4.1941:=CN=gitlab_grp,DC=example,DC=com)"), # :attributes is optional @@ -707,7 +707,7 @@ For more information, see the [official `ldapsearch` documentation](https://linu ### Using **AdFind** (Windows) -You can use the [`AdFind`](https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx) utility (on Windows based systems) to test that your LDAP server is accessible and authentication is working correctly. AdFind is a freeware utility built by [Joe Richards](http://www.joeware.net/freetools/tools/adfind/index.htm). +You can use the [`AdFind`](https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx) utility (on Windows based systems) to test that your LDAP server is accessible and authentication is working correctly. AdFind is a freeware utility built by [Joe Richards](https://www.joeware.net/freetools/tools/adfind/index.htm). **Return all objects** diff --git a/doc/administration/auth/oidc.md b/doc/administration/auth/oidc.md index 561cbd1b3ae..deb47160d98 100644 --- a/doc/administration/auth/oidc.md +++ b/doc/administration/auth/oidc.md @@ -120,7 +120,7 @@ The OpenID Connect provides you with a client's details and secret for you to us for the changes to take effect if you installed GitLab via Omnibus or from source respectively. On the sign in page, there should now be an OpenID Connect icon below the regular sign in form. -Click the icon to begin the authentication process. The OpenID Connect provider asks the user to +Select the icon to begin the authentication process. The OpenID Connect provider asks the user to sign in and authorize the GitLab application (if confirmation required by the client). If everything goes well, the user is redirected to GitLab and signed in. diff --git a/doc/administration/auth/smartcard.md b/doc/administration/auth/smartcard.md index 3f0d95967bf..0590410bf31 100644 --- a/doc/administration/auth/smartcard.md +++ b/doc/administration/auth/smartcard.md @@ -120,8 +120,14 @@ more information, see [the relevant issue](https://gitlab.com/gitlab-org/gitlab/ 1. Edit `/etc/gitlab/gitlab.rb`: ```ruby + # Allow smartcard authentication gitlab_rails['smartcard_enabled'] = true + + # Path to a file containing a CA certificate gitlab_rails['smartcard_ca_file'] = "/etc/ssl/certs/CA.pem" + + # Host and port where the client side certificate is requested by the + # webserver (NGINX/Apache) gitlab_rails['smartcard_client_certificate_required_host'] = "smartcard.example.com" gitlab_rails['smartcard_client_certificate_required_port'] = 3444 ``` |