How to integrate GitLab Server via Citrix ADC using OKTA as SAML IDP and Citrix ADC as SAML SP.

How to integrate GitLab Server via Citrix ADC using OKTA as SAML IDP and Citrix ADC as SAML SP.

book

Article ID: CTX310407

calendar_today

Updated On:

Description

Integrating GitLab Server via Citrix ADC using OKTA as SAML IDP and Citrix ADC as SAML SP.

Instructions

To achieve the aforementioned requirement, Follow the below steps:

Configuration on OKTA IDP:

On OKTA IDP Server, Configure the SAML SP Server URL as " https://<LB Vserver FQDN>/cgi/samlauth"

Configuration on Citrix ADC:

AAA configuration:

add authentication samlAction gitlab_saml_auth -samlIdPCertName OktaCert -samlSigningCertName <LB Vserver Certificate> -samlRedirectUrl "https://<Okta IDP URL>" -samlACSIndex 255 -samlUserField "Name ID" -samlRejectUnsignedAssertion ON -samlIssuerName "http://<Get the issuer details from Okta IDP" -samlTwoFactor OFF -signatureAlg RSA-SHA256 -digestMethod SHA256 -requestedAuthnContext exact -samlBinding POST -attributeConsumingServiceIndex 255 -sendThumbprint OFF -enforceUserName ON -skewTime 5 -logoutBinding POST -forceAuthn OFF -storeSAMLResponse OFF

add authentication Policy okta_saml_gitlabdev_auth_pol -rule TRUE -action gitlab_saml_auth

add authentication vserver gitlab_okta_saml_AAA SSL 0.0.0.0 -range 1 0 -state ENABLED -authentication ON -td 0 -appflowLog ENABLED -noDefaultBindings NO

bind authentication vserver gitlab_okta_saml_AAA -policy okta_saml_gitlabdev_auth_pol -priority 100 -gotoPriorityExpression END

LB Vsrever Configuration:

add lb vserver gitlabdev_vip SSL XX.XX.XX.XX 443 -range 1 -persistenceType NONE -timeout 2 -persistenceBackup NONE -backupPersistenceTimeout 2 -lbMethod LEASTCONNECTION -backupLBMethod ROUNDROBIN -Listenpolicy NONE -persistMask 255.255.255.255 -v6persistmasklen 128 -m IP -sessionless DISABLED -trofsPersistence ENABLED -state ENABLED -connfailover DISABLED -cacheable NO -cltTimeout 180 -soMethod NONE -soPersistence DISABLED -soPersistenceTimeOut 2 -healthThreshold 0 -redirectPortRewrite DISABLED -downStateFlush ENABLED -consolidatedLConn GLOBAL -IPMapping 0.0.0.0 -disablePrimaryOnDown DISABLED -insertVserverIPPort OFF -AuthenticationHost 1.1.1.1 -Authentication ON -authn401 OFF -authnVsName gitlab_okta_saml_AAA -push DISABLED -pushLabel none -pushMultiClients NO -l2Conn OFF -appflowLog ENABLED -icmpVsrResponse PASSIVE -RHIstate PASSIVE -minAutoscaleMembers 0 -maxAutoscaleMembers 0 -skippersistency None -td 0 -macmodeRetainvlan DISABLED -dns64 DISABLED -bypassAAAA NO -processLocal DISABLED -retainConnectionsOnCluster NO -noDefaultBindings NO

SAML SSO Configuration: ( This is required if Git Lab Server also act as SAML SP and expects SAML Assertion)

add tm samlSSOProfile gitlabdev_saml_sso_profile -samlSigningCertName <LB Vserver Certificate>  -assertionConsumerServiceURL "https://<GitLab Server FQDN/users/auth/saml/callback" -relaystateRule "\"https://<Gitlab server FQDN>/\"" -samlIssuerName <Citrix LB Vserver FQDN> -signatureAlg RSA-SHA256 -digestMethod SHA256 -NameIDFormat transient -encryptAssertion OFF -samlSPCertName <Gitlab Server Certificate> -encryptionAlgorithm AES256 -skewTime 5 -signAssertion ASSERTION

add tm trafficAction gitlabdev_saml_traffic_profile -SSO ON -persistentCookie OFF -InitiateLogout OFF -kcdAccount NONE -samlSSOProfile gitlabdev_saml_sso_profile

add tm trafficPolicy gitlabdev_saml_traffic_policy "HTTP.REQ.URL.CONTAINS(\"auth/saml/callback\").NOT&&HTTP.REQ.HEADER(\"Cookie\").CONTAINS(\"known_sign_in\").NOT&&HTTP.REQ.HEADER(\"Cookie\").CONTAINS(\"_gitlab_session\").NOT" gitlabdev_saml_traffic_profile

Logout Configuration:

add rewrite action rw_act_replace_location replace "http.RES.HEADER(\"Location\")" "\"https://OKTA IDP FQDN/login/signout\""

add rewrite policy rw_pol_replace_logout_location "http.REQ.URL.CONTAINS(\"/users/sign_out\")" rw_act_replace_location

add responder action gitlabdev_responder_action respondwith q{"HTTP/1.1 302 Object Moved\r\nLocation: https://LBVserver FQDN\r\n"+"Set-Cookie: known_sign_in=xyz;Path=/;expires=Wednesday, 09-Nov-1999 23:12:40 GMT;Secure\r\nSet-Cookie: _gitlab_session=xyz;Path=/;expires=Wednesday, 09-Nov-1999 23:12:40 GMT;Secure\r\nContent-Type: text/html\r\n"+"Content-Length: 0\r\n\r\n"}

add responder policy Gitlabdev_Responder_Policy "HTTP.REQ.URL.CONTAINS(\"/users/sign_in\")" gitlabdev_responder_action

add tm trafficAction gitlabdev_traffic_profile_signout -persistentCookie OFF -InitiateLogout ON -kcdAccount NONE

add tm trafficPolicy gitlabdev_traffic_pol_signout "HTTP.REQ.URL.CONTAINS(\"/users/sign_out\")" gitlabdev_traffic_profile_signout

Authorization Configuration:

add authorization policy pivdev_authorization_pol TRUE ALLOW


bind lb vserver gitlabdev_vip -policyName rw_pol_replace_logout_location -priority 100 -gotoPriorityExpression END -type RESPONSE
bind lb vserver gitlabdev_vip -policyName gitlabdev_saml_traffic_policy -priority 100 -gotoPriorityExpression END -type REQUEST
bind lb vserver gitlabdev_vip -policyName gitlabdev_traffic_pol_signout -priority 110 -gotoPriorityExpression END -type REQUEST
bind lb vserver gitlabdev_vip -policyName Gitlabdev_Responder_Policy -priority 100 -gotoPriorityExpression END -type REQUEST
bind lb vserver gitlabdev_vip -policyName pivdev_authorization_pol -priority 100 -gotoPriorityExpression END -type REQUEST

Powered by Wolken Software