git-credential-manager icon indicating copy to clipboard operation
git-credential-manager copied to clipboard

Published 20 hours ago verified publisher icon git-ecosystem

Support GitLab using SAML SSO via Azure AD

Open DanielLenz opened this issue 5 years ago • 5 comments
trafficstars

Hi folks,

thanks for working on GCM, I really appreciate your efforts!

I'm currently trying to connect to a self-managed Gitlab server that runs on a machine inside a company's network from outside this network.

Context

To access this network network, the user is required to pass a reverse proxy and log in via the company's Azure AD and SAML authentication (image below). This works fine when it comes to the Gitlab web app (left branch in the image): Upon trying to access the network, the user is prompted to use the browser-based SSO. The token that is generated is then re-used to authenticate the user for the Gitlab instance, where authentication via Azure OAuth is set up as well.

Issue

The issue is in using the git cli to interact with the git server (push, pull, etc.). The redirect to the SSO triggers the error below:

> git push origin master
fatal: unable to update url base from redirection:
  asked for: https://gitserver.companyurl.com/user/repo.git/info/refs?service=git-receive-pack
   redirect: https://login.microsoftonline.com/<azure_tenant_id>/saml2?SAMLRequest=<base64encoding of SSO portal>

Question

Is it possible to configure GCM such that the browser-based SSO is triggered upon e.g. git push, and the redirect described above does not raise an exception? Specifically, the following would be ideal:

  • User executes a git push
  • Browser pops up, asks for SSO through Azure AD
  • The request 'enters' the companies network
  • Ideally: The same token is re-used to authenticate against the git server. However, the use of user:pwd combination or access tokens would be fine as well.
  • The git push requests is completed successfully

enter image description here

(this question is also posted on SO)

DanielLenz avatar Nov 07 '20 20:11 DanielLenz

I've raised this with my counterparts at GitLab. Our team won't be adding GitLab support directly, but we would welcome outside contribution here!

vtbassmatt avatar Feb 11 '21 17:02 vtbassmatt

Is there any workaround for this problem mentioned above?

muttebe avatar Jul 29 '21 12:07 muttebe

@muttebe I imagine that a GitLab PAT would bypass the problematic 2FA flow altogether. Whether that's correct, or the ideal workaround, is more a question for GitLab.

vtbassmatt avatar Jul 29 '21 13:07 vtbassmatt

Ok thank you for your feedback!

muttebe avatar Jul 29 '21 13:07 muttebe

Opened a feature request for simple GitLab support (without network complications) similar to the GitHub support https://github.com/GitCredentialManager/git-credential-manager/issues/589

hickford avatar Dec 29 '21 14:12 hickford

We only support GitLab authentication using their OAuth2 support. We have no plans of implementing SAML SSO with external IdPs.

ldennington avatar Feb 13 '23 22:02 ldennington