Note: replace fs.hc.sct
with the name of your ADFS, replace gerrit.hc.sct with the name of your Gerrit host.
Configure Gerrit as described in the README.md. Here is an example config using SAML for Authentication, LDAP for authorization and running gerrit under the gerrit
prefix.
[gerrit] basePath = git canonicalWebUrl = https://gerrit.hc.sct/gerrit/ ... [httpd] listenUrl = https://gerrit.hc.sct:8443/gerrit/ filterClass = com.googlesource.gerrit.plugins.saml.SamlWebFilter [auth] type = HTTP_LDAP logoutUrl = https://fs.hc.sct/adfs/ls/?wa=wsignout1.0 httpHeader = X-SAML-UserName httpEmailHeader = X-SAML-EmailHeader httpExternalIdHeader = X-SAML-ExternalId [saml] keystorePath = /home/gerrit/samlKeystore.jks keystorePassword = pac4j-demo-password privateKeyPassword = pac4j-demo-password metadataPath = file:///home/gerrit/FederationMetadata.xml useNameQualifier = false [ldap] server = ldap://fs.hc.sct username = CN=Administrator,CN=Users,DC=hc,DC=sct localUsernameToLowerCase = true sslVerify = false accountBase = DC=hc,DC=sct groupBase = DC=hc,DC=sct
You can download the IdP file FederationMeta.xml from your ADFS. You need to place it in the location configured with saml.metadataPath (note that this is an URL and that file:// is required).
wget https://fs.hc.sct/FederationMetadata/2007-06/FederationMetadata.xml
Export the certificate from the samlKeystore.jks you created during setup. You will need the certificate in your ADFS configuration (see below).
keytool -exportcert -keystore samlKeystore.jks -alias pac4j -rfc > pac4j-demo.cer
Open the Management console (mmc), make sure you have the AD FS Management snap-in. Add a Relying Party Trust.
Go through the wizard. The properties at the end should look like indicated on the following screens.
Monitoring: unmodified
Identifiers: The relying party identifier is: https://gerrit.hc.sct/gerrit/plugins/saml/callback
Encryption: unmodified
Signature: In the signature tab you need to import the certificate you exported above.
Accepted Claims: unmodified
Organization: unmodified
Endpoints: URL is https://gerrit.hc.sct/gerrit/plugins/saml/callback
, binding POST
Proxy Endpoints: unmodified
Notes: unmodfied
Advanced: SHA-256
Select the Relying Party Truct
and click on Edit Claim Rules...
. You should expose the following LDAP attributes:
Allow all users to connect, or modify depending on your setup:
Delegation Authorization Rules: unmodified