CAS OmniAuth provider (deprecated) (FREE SELF)
WARNING: This feature was deprecated in GitLab 15.3 and is planned for removal in 16.0.
To enable the CAS OmniAuth provider you must register your application with your
CAS instance. This requires the service URL GitLab supplies to CAS. It should be
something like: https://gitlab.example.com:443/users/auth/cas3/callback?url
.
Handling for Single Logout (SLO) is enabled by default, so you only have to
configure CAS for back-channel logout.
-
On your GitLab server, open the configuration file.
For Omnibus package:
sudo editor /etc/gitlab/gitlab.rb
For installations from source:
cd /home/git/gitlab sudo -u git -H editor config/gitlab.yml
-
Configure the common settings to add
cas3
as a single sign-on provider. This enables Just-In-Time account provisioning for users who do not have an existing GitLab account. -
Add the provider configuration:
For Omnibus package:
gitlab_rails['omniauth_providers'] = [ { name: "cas3", label: "Provider name", # optional label for login button, defaults to "Cas3" args: { url: "CAS_SERVER", login_url: "/CAS_PATH/login", service_validate_url: "/CAS_PATH/p3/serviceValidate", logout_url: "/CAS_PATH/logout" } } ]
For installations from source:
- { name: 'cas3', label: 'Provider name', # optional label for login button, defaults to "Cas3" args: { url: 'CAS_SERVER', login_url: '/CAS_PATH/login', service_validate_url: '/CAS_PATH/p3/serviceValidate', logout_url: '/CAS_PATH/logout' } }
-
Change 'CAS_PATH' to the root of your CAS instance (such as
cas
). -
If your CAS instance does not use default TGC lifetimes, update the
cas3.session_duration
to at least the current TGC maximum lifetime. To explicitly disable SLO, regardless of CAS settings, set this to 0. -
Save the configuration file.
-
For the changes to take effect:
- If you installed via Omnibus, reconfigure GitLab.
- If you installed from source, restart GitLab.
On the sign in page there should now be a CAS tab in the sign in form.