出于 SSO 的原因,我已将我的 gitlab 实例与 Azure AD 集成,并且它似乎运行良好。
但是,据我了解,Azure 将是唯一的真实来源...因此,如果用户必须先在 gitlab 上注册,然后将他的 gitlab 链接到 azure,那么这是否会破坏实施它的整个意义?
您能建议有关此实现的最佳实践吗?这是我的 omniauth 配置在 /etc/gitlab/gitlab.rb 中的样子。
### OmniAuth Settings
###! Docs: https://docs.gitlab.com/ce/integration/omniauth.html
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['azure_oauth2']
# gitlab_rails['omniauth_sync_email_from_provider'] = 'saml'
# gitlab_rails['omniauth_sync_profile_from_provider'] = ['saml']
# gitlab_rails['omniauth_sync_profile_attributes'] = ['email']
# gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'saml'
# gitlab_rails['omniauth_block_auto_created_users'] = true
gitlab_rails['omniauth_auto_link_ldap_user'] = true
# gitlab_rails['omniauth_auto_link_saml_user'] = false
# gitlab_rails['omniauth_external_providers'] = ['twitter', 'google_oauth2']
gitlab_rails['sync_profile_from_provider'] = ['azure_oauth2']
gitlab_rails['sync_profile_attributes'] = ['name', 'email', 'location']
gitlab_rails['omniauth_providers'] = [
{
"name" => "azure_oauth2",
"args" => {
"client_id" => "my id",
"client_secret" => "my secret",
# "args" => { "access_type" => "offline", "approval_prompt" => "" }
"tenant_id" => "my tenant id",
},
# "base_azure_url" => "https://login.microsoftonline.com"
}
]
谢谢!