debian-mirror-gitlab/doc/administration/auth/cognito.md

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

92 lines
4.5 KiB
Markdown
Raw Normal View History

2020-06-23 00:09:42 +05:30
---
type: concepts, howto
stage: Manage
2022-04-04 11:22:00 +05:30
group: Authentication and Authorization
2021-02-22 17:27:13 +05:30
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
2020-06-23 00:09:42 +05:30
---
2021-06-08 01:23:25 +05:30
# Amazon Web Services Cognito **(FREE SELF)**
2020-04-08 14:13:33 +05:30
Amazon Cognito lets you add user sign-up, sign-in, and access control to your GitLab instance.
The following documentation enables Cognito as an OAuth2 provider.
## Configure AWS Cognito
2021-10-27 15:23:28 +05:30
To enable the [AWS Cognito](https://aws.amazon.com/cognito/) OAuth2 OmniAuth provider, register your application with Cognito. This process generates a Client ID and Client Secret for your application.
2020-04-08 14:13:33 +05:30
Any settings you configure in the following procedure can be modified later.
The following steps enable AWS Cognito as an authentication provider:
1. Sign in to the [AWS console](https://console.aws.amazon.com/console/home).
1. Select **Cognito** from the **Services** menu.
2022-07-23 23:45:48 +05:30
1. Select **Manage User Pools**, and select the **Create a user pool** button in the top right corner.
1. Enter the pool name and then select the **Step through settings** button.
2020-04-08 14:13:33 +05:30
1. Under **How do you want your end users to sign in?**, select **Email address or phone number** and **Allow email addresses**.
1. Under **Which standard attributes do you want to require?**, select **email**.
1. Go to the next steps of configuration and set the rest of the settings to suit your needs - in the basic setup they are not related to GitLab configuration.
2022-07-23 23:45:48 +05:30
1. In the **App clients** settings, select **Add an app client**, add **App client name** and select the **Enable username password based authentication** checkbox.
1. Select **Create app client**.
2020-04-08 14:13:33 +05:30
1. In the next step, you can set up AWS Lambda functions for sending emails. You can then finish creating the pool.
1. After creating the user pool, go to **App client settings** and provide the required information:
- **Enabled Identity Providers** - select all
- **Callback URL** - `https://gitlab.example.com/users/auth/cognito/callback`
- Substitute the URL of your GitLab instance for `gitlab.example.com`
- **Allowed OAuth Flows** - Authorization code grant
2020-04-22 19:07:51 +05:30
- **Allowed OAuth2 Scopes** - `email`, `openid`, and `profile`
2020-04-08 14:13:33 +05:30
1. Save changes for the app client settings.
1. Under **Domain name** include the AWS domain name for your AWS Cognito application.
2020-11-24 15:15:51 +05:30
1. Under **App Clients**, find your app client ID and app client secret. These values correspond to the OAuth2 Client ID and Client Secret. Save these values.
2020-04-08 14:13:33 +05:30
## Configure GitLab
2021-12-11 22:18:48 +05:30
1. See [Configure initial settings](../../integration/omniauth.md#configure-initial-settings) for initial settings.
2020-04-08 14:13:33 +05:30
1. On your GitLab server, open the configuration file.
**For Omnibus installations**
```shell
sudo editor /etc/gitlab/gitlab.rb
```
1. In the following code block, substitute the Client ID (`app_id`), Client Secret (`app_secret`), and the Amazon domain name (`site`) for your AWS Cognito application.
Include the code block in the `/etc/gitlab/gitlab.rb` file:
```ruby
gitlab_rails['omniauth_allow_single_sign_on'] = ['cognito']
gitlab_rails['omniauth_providers'] = [
{
2022-01-26 12:08:38 +05:30
name: "cognito",
label: "Provider name", # optional label for login button, defaults to "Cognito"
icon: nil, # Optional icon URL
app_id: "CLIENT ID",
app_secret: "CLIENT SECRET",
args: {
scope: "openid profile email",
2020-04-08 14:13:33 +05:30
client_options: {
2022-01-26 12:08:38 +05:30
site: "https://your_domain.auth.your_region.amazoncognito.com",
authorize_url: "/oauth2/authorize",
token_url: "/oauth2/token",
user_info_url: "/oauth2/userInfo"
2020-04-08 14:13:33 +05:30
},
user_response_structure: {
root_path: [],
2022-01-26 12:08:38 +05:30
id_path: ["sub"],
attributes: { nickname: "email", name: "email", email: "email" }
2020-04-08 14:13:33 +05:30
},
2022-01-26 12:08:38 +05:30
name: "cognito",
2020-04-08 14:13:33 +05:30
strategy_class: "OmniAuth::Strategies::OAuth2Generic"
}
}
]
```
1. Save the configuration file.
1. Save the file and [reconfigure](../restart_gitlab.md#omnibus-gitlab-reconfigure) GitLab for the changes to take effect.
Your sign-in page should now display a Cognito button below the regular sign-in form.
2022-07-23 23:45:48 +05:30
To begin the authentication process, select the icon, and AWS Cognito asks the user to sign in and authorize the GitLab application.
2021-10-27 15:23:28 +05:30
If successful, the user is redirected and signed in to your GitLab instance.
2020-06-23 00:09:42 +05:30
2021-12-11 22:18:48 +05:30
For more information, see [Configure initial settings](../../integration/omniauth.md#configure-initial-settings).