Shibboleth authentication to a git repository?

[Peter Schober]

* Michael.Breu at uibk.ac.at <Michael.Breu at uibk.ac.at> [2020-04-02 11:55]:
> Is there any support to use shibboleth authentication against a git
> repository?

Not unless you get ECP support added to the client (all clients) and
also the server, I think.

Somewhat related (HTTP-based protocol but client is not a browser):
https://wiki.shibboleth.net/confluence/display/SHIB2/WebDAV

> We are using a complex system landscape, that provides besides a web
> server also a git service. Currently we are using local
> authentication, which conflicts with the access from multiple
> id-providers.

Don't re-invent the wheel. The world has settled on using a
(SAML-enabled) web application to provision local accounts and SSH
public keys and then using those SSH public keys for git access.

> It is an easy task to enhance the web server login to
> shibboleth. However how could we extend this to a gitlab based
> repository service?

I don't understand the question: Gitlab is exactly the kind of web
application you'd use (and federate) to allow subjects to add their
own SSH public keys for git access, as mention above.

And while Gitlab's native (Ruby omniauth saml) SAML support is lacking you
can run it behind the Shibboleth SP just fine, provided you run it on an OS
that has Apache httpd 2.4 and you apply the changes I've documented here:
https://gitlab.com/gitlab-org/gitlab-recipes/issues/57#note_22130522
(swapping out Nginx for Apache httpd).
Then configure Gitlab to use omniauth shibboleth and handle all SAML
in the Shibboleth SP (though you'll have to "UseHeaders On"; a small
price to pay for a proper SAML SP implementation).

While I don't have this exact setup running atm I should still be able
to answer questions about it, if needed. As long as those can be
argued to relate to Shibboleth also on this list.

-peter