AKKU

SSO for GitLab

Overview

Akku, developed by CloudNow Technologies, is a robust Identity & Access Management (IAM) solution designed to streamline user provisioning, access management, and activity monitoring throughout the user lifecycle. It offers administrators the tools to efficiently manage user privileges and ensure data security in cloud environments. With Akku, organizations can confidently embrace cloud technology while maintaining compliance with standards and regulations. Its comprehensive features enable seamless onboarding, secure authentication, a single point-of-access to all applications, enforcement of access policies, and monitoring of user activity to detect and respond to security threats effectively while enhancing the user experience significantly. By prioritizing data security, privacy, and compliance, Akku provides users with peace of mind while improving overall productivity. With its flexible and scalable architecture, Akku is well-equipped to meet the evolving needs of modern organizations in managing their identity and access requirements.

Introduction

GitLab SAML SSO with Akku provides a secure and reliable method for authenticating users. To set it up, you'll need a GitLab account, an Akku account, and the SAML SSO Integration feature enabled. First, configure your Akku instance by adding the GitLab SAML SSO app and specifying the required fields. Then, grant Akku permission to access your GitLab domain. Next, set up the SAML request URL and authentication URL in your Akku instance. Finally, test your integration to ensure seamless authentication for your users.

Configure GitLab for SSO

The steps listed below provide instructions on adding the GitLab application from the QuickLaunch App Store and configuring SAML SSO for the added application

1

Login into Akku

Login into Akku using the tenant url using username and password

Example Tenant URLtext
https://yourclientName.akku.work
Screenshot
Edit Server Configurations for GitLab - Configuration File
2

Navigate to App Management and Search for GitLab

Navigate to App Management and search for GitLab in the Available Apps. Click on setup and navigate to Integration tab to download/generate the SAML metadata file.

Screenshot
Edit Server Configurations for GitLab - OmniAuth Settings
3

Edit Server Configurations for GitLab

Edit /etc/gitlab/gitlab.rb and add the following lines to it:

GitLab OmniAuth Configurationruby
### OmniAuth Settings
###! Docs: https://docs.gitlab.com/ee/integration/omniauth.html
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'saml'
gitlab_rails['omniauth_auto_link_ldap_user'] = true
gitlab_rails['omniauth_auto_link_saml_user'] = true

gitlab_rails['omniauth_providers'] = [
  {
    name: "saml",
    label: "Akku",
    args: {
      assertion_consumer_service_url: "https://gitlab.example.com/users/auth/saml/callback",
      idp_cert_fingerprint: "Replace it with the IDP certificate fingerprint",
      idp_sso_target_url: "Replace this with the SSO URL fetched for the IDP metadata",
      issuer: "GitLab",
      name_identifier_format: "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
    }
  }
]
Use your custom domain URL instead of "https://gitlab.example.com". You can convert the certificate from metadata into a fingerprint using a fingerprint generator. eg; https://www.samltool.com/fingerprint.php
4

Save and Reconfigure GitLab

Save the file and reconfigure GitLab:

Reconfigure GitLab Commandsbash
sudo gitlab-ctl reconfigure
sudo gitlab-ctl restart
If required, restart the server.
5

Generating Metadata for SP

Register the GitLab SP in your SAML IdP. To provide configuration information to the IdP, build a metadata URL for the application. Add users/auth/saml/metadata to the HTTPS URL of your GitLab installation to create the metadata URL.

Example Metadata URLtext
https://gitlab.example.com/users/auth/saml/metadata

Configure AKKU based on GitLab Metadata

Configure Akku with the metadata from GitLab

1

Log in to Akku's Administration Console

Log in to Akku's Administration console with your tenant URL.

Screenshot
Configure User Property and NameID Format - Step 1
2

Navigate to App Management

Navigate to App Management and search for GitLab.

Screenshot
Configure User Property and NameID Format - Step 2
3

Configure SSO Settings

Click 'Setup' / 'Configure SSO' on the GitLab App and configure the necessary information based on the GitLab metadata file.

GitLab SAML Configurationproperties
Client ID is the Entity ID from the SP metadata

Home URL is the GitLab with the Domain URL
eg; https://gitlab.example.com

Valid redirect URL is from the IDP metadata
eg; https://gitlab.example.com/*

Assertion Consumer Service POST Binding URL is fetched from the IDP metadata
eg; https://gitlab.example.com/users/auth/saml/callback

Assertion Consumer Service Redirect Binding URL is fetched from the IDP metadata
eg; https://gitlab.example.com/users/auth/saml/callback
Screenshot
Configure User Property and NameID Format - Step 3
4

Configure User Property and NameID Format

Add the user property in keycloak and make the NameID format a persistent.

Screenshot
Configure User Property and NameID Format - Step 4