Skip to content

FusionAuth

curl -fsSL https://raw.githubusercontent.com/FusionAuth/fusionauth-containers/master/docker/fusionauth/docker-compose.yml > docker-compose.yml && \
curl -fsSL https://raw.githubusercontent.com/FusionAuth/fusionauth-containers/master/docker/fusionauth/.env > .env && \
docker-compose up

The setup instructions are at https://fusionauth.io/download.

πŸ““ Notes as I explore FusionAuth πŸ—ΊοΈ

  • There's a SCIM server built-in!
  • They offer a guide for building a Node app to integrate with FusionAuth.

My Setup

Let's build out a fake organization so we have users and groups and stuff. Let's use Star Trek.

  • Groups:
    • Engineering
    • Command
    • Medical
  • Users:
    • Kirk
    • Uhura
    • Scotty
    • Spock
    • Bones
  • Roles:
    • Admin for Kirk and Uhura

GitLab + FusionAuth = πŸ’–

I should be able to use FusionAuth as my IdP and GitLab as the SP.

  1. Ensure GitLab is using HTTPS.
  2. Configure the common settings

When configuring a SAML app on the IdP, you need at least:

  • Assertion consumer service URL
  • Issuer
  • NameID
  • Email address claim

πŸ’Ž Relevant Content in gitlab.rb

When all was said and done, the relevant portions of my /etc/gitlab/gitlab.rb file looked like this:

# CAUTION!
# This allows users to sign in without having a user account first. Define the allowed providers
# using an array, for example, ["saml", "twitter"], or as true/false to allow all providers or none.
# User accounts will be created automatically when authentication was successful.
gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
gitlab_rails['omniauth_auto_link_ldap_user'] = true
gitlab_rails['omniauth_block_auto_created_users'] = true


# Setting this will link people logging in with SAML to an existing  GitLab 
# account -- IFF the email addresses for the two users are the same. 
gitlab_rails['omniauth_auto_link_saml_user'] = true

gitlab_rails['omniauth_providers'] = [
  {
    name: "saml",
    label: "πŸ”₯ FUSION Auth! πŸ”₯", # optional label for login button, defaults to "Saml"
    args: {
      assertion_consumer_service_url: "https://lulah/users/auth/saml/callback",
      idp_cert_fingerprint: "43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8",
      idp_sso_target_url: "https://login.example.com/idp",
      issuer: "GitLab on lulah",
      name_identifier_format: "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
    }
  }
]