SAML¶
SAML (Security Assertion Markup Language) is used to provide Single Sign-On (SSO) for GitLab instances.
The SAML configuration is managed through the gitlab_rails_common_custom_config_file variable, which points to a
Jinja2 template file in the solution's ansible/files/gitlab_config/ directory.
Rotating the IDP certificate¶
IDP certificates have an expiry date and need to be rotated before they expire. When a customer provides a new IDP certificate, two values need to be updated in the solution's SAML configuration:
idp_cert_fingerprint: The SHA1 fingerprint of the new certificateidp_cert: The full PEM-encoded certificate (with\nline breaks)
Procedure¶
-
Obtain the new certificate from the customer (PEM format).
-
Calculate the SHA1 fingerprint of the new certificate:
openssl x509 -noout -fingerprint -sha1 -in new_certificate.pemThis outputs something like:
sha1 Fingerprint=1B:B0:3B:28:C0:7A:52:54:42:57:BB:12:20:BC:51:36:C5:D0:C1:F2 -
Update the solution's configuration file (typically
<solution>/ansible/files/gitlab_config/gitlab_rails_common.rb.j2orgitlab_rails.rb.j2):- Replace the
idp_cert_fingerprintvalue with the new fingerprint. - Replace the
idp_certvalue with the new certificate content. The certificate must be on a single line with literal\ncharacters separating each line of the PEM file.
- Replace the
-
Apply the change by running from the
<solution>/ansibledirectory:aws-sso ansible-playbook glh.environment_toolkit.gitlab_update --limit gitlab_rails,sidekiq -i inventoryIt renders the
gitlab.rbconfiguration and runsgitlab-ctl reconfigureon the targeted nodes. The package install step will be a no-op if the GitLab version has not changed.
Verifying your process¶
You can test the process by generating the fingerprint the existing certificate that is stored as idp_cert, for a solution. Using this value, it should generate the same fingerprint that is stored as the idp_cert_fingerprint value.
Tips¶
- Always test certificate rotation on the test environment first before applying to production.
-
Verify the certificate expiry date before installing:
openssl x509 -noout -dates -in new_certificate.pem -
After applying, verify SAML login works by attempting to sign in through the SSO flow.