CAS OmniAuth provider (deprecated) all tiersself-managed
To enable the CAS OmniAuth provider you must register your application with your
CAS instance. This requires the service URL GitLab supplies to CAS. It should be
something like: https://gitlab.example.com:443/users/auth/cas3/callback?url
.
Handling for Single Logout (SLO) is enabled by default, so you only have to
configure CAS for back-channel logout.
-
On your GitLab server, open the configuration file.
For Omnibus package:
sudo editor /etc/gitlab/gitlab.rb
For installations from source:
cd /home/git/gitlab sudo -u git -H editor config/gitlab.yml
-
Configure the common settings to add
cas3
as a single sign-on provider. This enables Just-In-Time account provisioning for users who do not have an existing GitLab account. -
Add the provider configuration:
For Omnibus package:
gitlab_rails['omniauth_providers'] = [ { name: "cas3", label: "Provider name", # optional label for login button, defaults to "Cas3" args: { url: "CAS_SERVER", login_url: "/CAS_PATH/login", service_validate_url: "/CAS_PATH/p3/serviceValidate", logout_url: "/CAS_PATH/logout" } } ]
For installations from source:
- { name: 'cas3', label: 'Provider name', # optional label for login button, defaults to "Cas3" args: { url: 'CAS_SERVER', login_url: '/CAS_PATH/login', service_validate_url: '/CAS_PATH/p3/serviceValidate', logout_url: '/CAS_PATH/logout' } }
-
Change ‘CAS_PATH’ to the root of your CAS instance (such as
cas
). -
If your CAS instance does not use default TGC lifetimes, update the
cas3.session_duration
to at least the current TGC maximum lifetime. To explicitly disable SLO, regardless of CAS settings, set this to 0. -
Save the configuration file.
-
For the changes to take effect:
- If you installed via Omnibus, reconfigure GitLab.
- If you installed from source, restart GitLab.
On the sign in page there should now be a CAS tab in the sign in form.