This plugin allows you to authenticate to Gerrit using a SAML identity provider.
Gerrit looks for 3 attributes (which are configurable) in the AttributeStatement:
If any of these attributes is not found in the assertion, their value is taken from the NameId field of the SAML assertion.
If you are using Active Directory Federation Services (ADFS), follow the below steps to configure Gerrit. You can then go here for more details on howto make gerrit-saml-plugin work with ADFS.
Download Gerrit SAML plugin for the appropriate version of gerrit:
In $site_path/etc/gerrit.config
file, the [httpd]
section should contain
[httpd] filterClass = com.thesamet.gerrit.plugins.saml.SamlWebFilter
Please make sure you are using Gerrit 2.11.5 or later.
In $site_path/etc/gerrit.config
file, the [auth]
section should include the following lines:
[auth] type = HTTP logoutUrl = https://mysso.example.com/logout httpHeader = X-SAML-UserName httpDisplaynameHeader = X-SAML-DisplayName httpEmailHeader = X-SAML-EmailHeader httpExternalIdHeader = X-SAML-ExternalId
The header names are used internally between the SAML plugin and Gerrit to communicate the user's identity. You can use other names (as long as it will not conflict with any other HTTP header Gerrit might expect).
In $gerrit_site/etc
create a local keystore:
keytool -genkeypair -alias pac4j -keypass pac4j-demo-password \ -keystore samlKeystore.jks \ -storepass pac4j-demo-password -keyalg RSA -keysize 2048 -validity 3650
Add a new [saml]
section to $site_path/etc/gerrit.config
:
[saml] keystorePath = /path/to/samlKeystore.jks keystorePassword = pac4j-demo-password privateKeyPassword = pac4j-demo-password metadataPath = https://mycompany.okta.com/app/hashash/sso/saml/metadata
saml.metadataPath: Location of IdP Metadata from your SAML identity provider. The value can be a URL, or a local file (prefix with file://
)
saml.keystorePath: Path to the keystore created above. If not absolute, the path is resolved relative to $site_path
.
saml.privateKeyPassword: Password protecting the private key of the generated key pair (needs to be the same as the password provided throguh the keypass
flag above.)
saml.keystorePassword: Password that is used to protect the integrity of the keystore (needs to be the same as the password provided throguh the keystore
flag above.)
saml.maxAuthLifetime: (Optional) Max Authentication Lifetime (secs) configuration.
Default is 86400
saml.displayNameAttr: Gerrit will look for an attribute with this name in the assertion to find a display name for the user. If the attribute is not found, the NameId from the SAML assertion is used instead.
Default is DisplayName
saml.emailAddressAttr: Gerrit will look for an attribute with this name in the assertion to find a the email address of the user. If the attribute is not found, the NameId from the SAML assertion is used instead.
Default is EmailAddress
saml.userNameAttr: Gerrit will look for an attribute with this name in the assertion to find a the email address of the user. If the attribute is not found, the NameId from the SAML assertion is used instead.
Default is UserName