website/integrations: switch default gitlab name identifier (#5321)
Signed-off-by: Jens Langhammer <jens@goauthentik.io> #5312
This commit is contained in:
parent
94ae490284
commit
34e9af57fe
|
@ -22,8 +22,12 @@ The metadata download link can also be copied with a button on the provider over
|
||||||
|
|
||||||
You can select a custom SAML Property Mapping after which the NameID field will be generated. If left default, the following checks are done:
|
You can select a custom SAML Property Mapping after which the NameID field will be generated. If left default, the following checks are done:
|
||||||
|
|
||||||
- When the request asks for `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress`, the NameID will be set to the user's email address.
|
|
||||||
- When the request asks for `urn:oasis:names:tc:SAML:2.0:nameid-format:persistent`, the NameID will be set to the hashed user ID.
|
- When the request asks for `urn:oasis:names:tc:SAML:2.0:nameid-format:persistent`, the NameID will be set to the hashed user ID.
|
||||||
- When the request asks for `urn:oasis:names:tc:SAML:2.0:nameid-format:X509SubjectName`, the NameID will be set to the user's `distinguishedName` attribute. This attribute is set by the LDAP source by default. If the attribute does not exist, it will fall back the persistent identifier.
|
- When the request asks for `urn:oasis:names:tc:SAML:2.0:nameid-format:X509SubjectName`, the NameID will be set to the user's `distinguishedName` attribute. This attribute is set by the LDAP source by default. If the attribute does not exist, it will fall back the persistent identifier.
|
||||||
- When the request asks for `urn:oasis:names:tc:SAML:2.0:nameid-format:WindowsDomainQualifiedName`, the NameID will be set to the user's UPN. This is also set by the LDAP source, and also falls back to the persistent identifier.
|
- When the request asks for `urn:oasis:names:tc:SAML:2.0:nameid-format:WindowsDomainQualifiedName`, the NameID will be set to the user's UPN. This is also set by the LDAP source, and also falls back to the persistent identifier.
|
||||||
- When the request asks for `urn:oasis:names:tc:SAML:2.0:nameid-format:transient`, the NameID will be set based on the user's session ID.
|
- When the request asks for `urn:oasis:names:tc:SAML:2.0:nameid-format:transient`, the NameID will be set based on the user's session ID.
|
||||||
|
- When the request asks for `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress`, the NameID will be set to the user's email address.
|
||||||
|
|
||||||
|
:::warning
|
||||||
|
Keep in mind that with the default settings, users are free to change their email addresses. As such it is recommended to use `urn:oasis:names:tc:SAML:2.0:nameid-format:persistent`, as this cannot be changed.
|
||||||
|
:::
|
||||||
|
|
|
@ -51,7 +51,7 @@ gitlab_rails['omniauth_providers'] = [
|
||||||
idp_cert_fingerprint: '4E:1E:CD:67:4A:67:5A:E9:6A:D0:3C:E6:DD:7A:F2:44:2E:76:00:6A',
|
idp_cert_fingerprint: '4E:1E:CD:67:4A:67:5A:E9:6A:D0:3C:E6:DD:7A:F2:44:2E:76:00:6A',
|
||||||
idp_sso_target_url: 'https://authentik.company/application/saml/<authentik application slug>/sso/binding/redirect/',
|
idp_sso_target_url: 'https://authentik.company/application/saml/<authentik application slug>/sso/binding/redirect/',
|
||||||
issuer: 'https://gitlab.company',
|
issuer: 'https://gitlab.company',
|
||||||
name_identifier_format: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
|
name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
|
||||||
attribute_statements: {
|
attribute_statements: {
|
||||||
email: ['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'],
|
email: ['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'],
|
||||||
first_name: ['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'],
|
first_name: ['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'],
|
||||||
|
|
Reference in a new issue