Integrating GitLab Server via Citrix ADC using OKTA as SAML IDP and Citrix ADC as SAML SP.

---

Instructions

To achieve the aforementioned requirement, Follow the below steps:

Configuration on OKTA IDP:

On OKTA IDP Server, Configure the SAML SP Server URL as " https://<LB Vserver FQDN>/cgi/samlauth"

Configuration on Citrix ADC:

AAA configuration:

add authentication samlAction gitlab_saml_auth -samlIdPCertName OktaCert -samlSigningCertName <LB Vserver Certificate> -samlRedirectUrl "https://<Okta IDP URL>" -samlACSIndex 255 -samlUserField "Name ID" -samlRejectUnsignedAssertion ON -samlIssuerName "http://<Get the issuer details from Okta IDP" -samlTwoFactor OFF -signatureAlg RSA-SHA256 -digestMethod SHA256 -requestedAuthnContext exact -samlBinding POST -attributeConsumingServiceIndex 255 -sendThumbprint OFF -enforceUserName ON -skewTime 5 -logoutBinding POST -forceAuthn OFF -storeSAMLResponse OFF

add authentication Policy okta_saml_gitlabdev_auth_pol -rule TRUE -action gitlab_saml_auth

add authentication vserver gitlab_okta_saml_AAA SSL 0.0.0.0 -range 1 0 -state ENABLED -authentication ON -td 0 -appflowLog ENABLED -noDefaultBindings NO

bind authentication vserver gitlab_okta_saml_AAA -policy okta_saml_gitlabdev_auth_pol -priority 100 -gotoPriorityExpression END

LB Vsrever Configuration:

add lb vserver gitlabdev_vip SSL XX.XX.XX.XX 443 -range 1 -persistenceType NONE -timeout 2 -persistenceBackup NONE -backupPersistenceTimeout 2 -lbMethod LEASTCONNECTION -backupLBMethod ROUNDROBIN -Listenpolicy NONE -persistMask 255.255.255.255 -v6persistmasklen 128 -m IP -sessionless DISABLED -trofsPersistence ENABLED -state ENABLED -connfailover DISABLED -cacheable NO -cltTimeout 180 -soMethod NONE -soPersistence DISABLED -soPersistenceTimeOut 2 -healthThreshold 0 -redirectPortRewrite DISABLED -downStateFlush ENABLED -consolidatedLConn GLOBAL -IPMapping 0.0.0.0 -disablePrimaryOnDown DISABLED -insertVserverIPPort OFF -AuthenticationHost 1.1.1.1 -Authentication ON -authn401 OFF -authnVsName gitlab_okta_saml_AAA -push DISABLED -pushLabel none -pushMultiClients NO -l2Conn OFF -appflowLog ENABLED -icmpVsrResponse PASSIVE -RHIstate PASSIVE -minAutoscaleMembers 0 -maxAutoscaleMembers 0 -skippersistency None -td 0 -macmodeRetainvlan DISABLED -dns64 DISABLED -bypassAAAA NO -processLocal DISABLED -retainConnectionsOnCluster NO -noDefaultBindings NO

SAML SSO Configuration: ( This is required if Git Lab Server also act as SAML SP and expects SAML Assertion)

add tm samlSSOProfile gitlabdev_saml_sso_profile -samlSigningCertName <LB Vserver Certificate>  -assertionConsumerServiceURL "https://<GitLab Server FQDN/users/auth/saml/callback" -relaystateRule "\"https://<Gitlab server FQDN>/\"" -samlIssuerName <Citrix LB Vserver FQDN> -signatureAlg RSA-SHA256 -digestMethod SHA256 -NameIDFormat transient -encryptAssertion OFF -samlSPCertName <Gitlab Server Certificate> -encryptionAlgorithm AES256 -skewTime 5 -signAssertion ASSERTION

add tm trafficAction gitlabdev_saml_traffic_profile -SSO ON -persistentCookie OFF -InitiateLogout OFF -kcdAccount NONE -samlSSOProfile gitlabdev_saml_sso_profile

add tm trafficPolicy gitlabdev_saml_traffic_policy "HTTP.REQ.URL.CONTAINS(\"auth/saml/callback\").NOT&&HTTP.REQ.HEADER(\"Cookie\").CONTAINS(\"known_sign_in\").NOT&&HTTP.REQ.HEADER(\"Cookie\").CONTAINS(\"_gitlab_session\").NOT" gitlabdev_saml_traffic_profile

Logout Configuration:

add rewrite action rw_act_replace_location replace "http.RES.HEADER(\"Location\")" "\"https://OKTA IDP FQDN/login/signout\""

add rewrite policy rw_pol_replace_logout_location "http.REQ.URL.CONTAINS(\"/users/sign_out\")" rw_act_replace_location

add responder action gitlabdev_responder_action respondwith q{"HTTP/1.1 302 Object Moved\r\nLocation: https://LBVserver FQDN\r\n"+"Set-Cookie: known_sign_in=xyz;Path=/;expires=Wednesday, 09-Nov-1999 23:12:40 GMT;Secure\r\nSet-Cookie: _gitlab_session=xyz;Path=/;expires=Wednesday, 09-Nov-1999 23:12:40 GMT;Secure\r\nContent-Type: text/html\r\n"+"Content-Length: 0\r\n\r\n"}

add responder policy Gitlabdev_Responder_Policy "HTTP.REQ.URL.CONTAINS(\"/users/sign_in\")" gitlabdev_responder_action

add tm trafficAction gitlabdev_traffic_profile_signout -persistentCookie OFF -InitiateLogout ON -kcdAccount NONE

add tm trafficPolicy gitlabdev_traffic_pol_signout "HTTP.REQ.URL.CONTAINS(\"/users/sign_out\")" gitlabdev_traffic_profile_signout

Authorization Configuration:

add authorization policy pivdev_authorization_pol TRUE ALLOW


bind lb vserver gitlabdev_vip -policyName rw_pol_replace_logout_location -priority 100 -gotoPriorityExpression END -type RESPONSE
bind lb vserver gitlabdev_vip -policyName gitlabdev_saml_traffic_policy -priority 100 -gotoPriorityExpression END -type REQUEST
bind lb vserver gitlabdev_vip -policyName gitlabdev_traffic_pol_signout -priority 110 -gotoPriorityExpression END -type REQUEST
bind lb vserver gitlabdev_vip -policyName Gitlabdev_Responder_Policy -priority 100 -gotoPriorityExpression END -type REQUEST
bind lb vserver gitlabdev_vip -policyName pivdev_authorization_pol -priority 100 -gotoPriorityExpression END -type REQUEST