To enable the CAS OmniAuth provider you must register your application with your CAS instance. This requires the service URL GitLab will supply to CAS. It should be something like: https://gitlab.example.com:443/users/auth/cas3/callback?url. By default handling for SLO is enabled, you only need to configure CAS for backchannel logout.
-
On your GitLab server, open the configuration file.
For omnibus package:
sudo editor /etc/gitlab/gitlab.rb
For installations from source:
cd /home/git/gitlab sudo -u git -H editor config/gitlab.yml -
See Initial OmniAuth Configuration for initial settings.
-
Add the provider configuration:
For omnibus package:
gitlab_rails['omniauth_providers'] = [ { "name"=> "cas3", "label"=> "cas", "args"=> { "url"=> 'CAS_SERVER', "login_url"=> '/CAS_PATH/login', "service_validate_url"=> '/CAS_PATH/p3/serviceValidate', "logout_url"=> '/CAS_PATH/logout' } } ]
For installations from source:
- { name: 'cas3', label: 'cas', args: { url: 'CAS_SERVER', login_url: '/CAS_PATH/login', service_validate_url: '/CAS_PATH/p3/serviceValidate', logout_url: '/CAS_PATH/logout'} } -
Change 'CAS_PATH' to the root of your CAS instance (ie.
cas). -
If your CAS instance does not use default TGC lifetimes, update the
cas3.session_durationto at least the current TGC maximum lifetime. To explicitly disable SLO, regardless of CAS settings, set this to 0. -
Save the configuration file.
-
Reconfigure or restart GitLab for the changes to take effect if you installed GitLab via Omnibus or from source respectively.
On the sign in page there should now be a CAS tab in the sign in form.