Merge branch 'kpaizee-omniauth-ctrt-part-2' into 'master'

OmniAuth CTRT edits part 2 See merge request gitlab-org/gitlab!74303

Merge branch 'kpaizee-omniauth-ctrt-part-2' into 'master'
OmniAuth CTRT edits part 2 See merge request gitlab-org/gitlab!74303
e147d7c8 · Suzanne Selhorn · f03eab96 · f4566008 · f03eab96 · e147d7c8
Commit e147d7c8 authored Nov 16, 2021 by Suzanne Selhorn
Showing with 87 additions and 80 deletions

doc/integration/img/enabled-oauth-sign-in-sources_v13_10.png doc/integration/img/enabled-oauth-sign-in-sources_v13_10.png +0 -0

doc/integration/omniauth.md doc/integration/omniauth.md +87 -80

No files found.
--- a/doc/integration/img/enabled-oauth-sign-in-sources_v13_10.png
+++ b/doc/integration/img/enabled-oauth-sign-in-sources_v13_10.png
--- a/doc/integration/omniauth.md
+++ b/doc/integration/omniauth.md
@@ -115,32 +115,28 @@ your chosen [provider](#supported-providers).
 ## Enable OmniAuth for an existing user
-Existing users can enable OmniAuth for specific providers after the account is
+If you're an existing user, after your GitLab account is
-created. For example, if the user originally signed in with LDAP, an OmniAuth
+created, you can activate an OmniAuth provider. For example, if you originally signed in with LDAP, you can enable an OmniAuth
-provider such as Twitter can be enabled. Follow the steps below to enable an
+provider like Twitter.
-OmniAuth provider for an existing user.
-1. Sign in normally - whether standard sign in, LDAP, or another OmniAuth provider.
+1. Sign in to GitLab with your GitLab credentials, LDAP, or another OmniAuth provider.
-1. In the top-right corner, select your avatar.
+1. On the top bar, in the top right corner, select your avatar.
 1. Select **Edit profile**.
 1. On the left sidebar, select **Account**.
-1. In the **Connected Accounts** section, select the desired OmniAuth provider, such as Twitter.
+1. In the **Connected Accounts** section, select the OmniAuth provider, such as Twitter.
-1. The user is redirected to the provider. After the user authorizes GitLab,
+1. You are redirected to the provider. After you authorize GitLab,
-   they are redirected back to GitLab.
+   you are redirected back to GitLab.
-The chosen OmniAuth provider is now active and can be used to sign in to GitLab from then on.
+You can now use your chosen OmniAuth provider to sign in to GitLab.
 ## Link existing users to OmniAuth users
 > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/36664) in GitLab 13.4.
 You can automatically link OmniAuth users with existing GitLab users if their email addresses match.
-Automatic linking using this method works for all providers
-[except the SAML provider](https://gitlab.com/gitlab-org/gitlab/-/issues/338293). For automatic
-linking using the SAML provider, see [SAML-specific](saml.md#general-setup) instructions.
-As an example, the following configuration is used to enable the auto link
+The following example enables automatic linking
-feature for both an **OpenID Connect provider** and a **Twitter OAuth provider**.
+for the OpenID Connect provider and the Twitter OAuth provider.
 - **For Omnibus installations**
@@ -155,18 +151,23 @@ feature for both an **OpenID Connect provider** and a **Twitter OAuth provider**
    auto_link_user: ["openid_connect", "twitter"]
  ```
-## Configure OmniAuth providers as external
+This method of enabling automatic linking works for all providers
+[except SAML](https://gitlab.com/gitlab-org/gitlab/-/issues/338293).
+To enable automatic linking for SAML, see the [SAML setup instructions](saml.md#general-setup).
-You can define which OmniAuth providers you want to be `external`. Users
+## Create an external providers list
-creating accounts, or logging in by using these `external` providers cannot have
-access to internal projects. You must use the full name of the provider,
+You can define a list of external OmniAuth providers.
-like `google_oauth2` for Google. Refer to the examples for the full names of the
+Users who create accounts or sign in to GitLab through the listed providers do not get access to [internal projects](../public_access/public_access.md#internal-projects-and-groups).
-supported providers.
+To define the external providers list, use the full name of the provider,
+for example, `google_oauth2` for Google. For provider names, see the
+**OmniAuth provider name** column in the [supported providers table](#supported-providers).
 NOTE:
-If you decide to remove an OmniAuth provider from the external providers list,
+If you remove an OmniAuth provider from the external providers list,
-you must manually update the users that use this method to sign in if you want
+you must manually update the users that use this sign-in method so their
-their accounts to be upgraded to full internal accounts.
+accounts are upgraded to full internal accounts.
 - **For Omnibus installations**
@@ -184,70 +185,67 @@ their accounts to be upgraded to full internal accounts.
 ## Use a custom OmniAuth provider
 NOTE:
-The following information only applies for installations from source.
+The following information only applies to installations from source.
-GitLab uses [OmniAuth](https://github.com/omniauth/omniauth) for authentication and already ships
+If you have to integrate with an authentication solution other than the [OmniAuth](https://github.com/omniauth/omniauth) providers included with GitLab,
-with a few providers pre-installed, such as LDAP, GitHub, and Twitter. You may also
+you can use a custom OmniAuth provider.
-have to integrate with other authentication solutions. For
-these cases, you can use the OmniAuth provider.
-These steps are fairly general and you must figure out the exact details
+These steps are general. Read the OmniAuth provider's documentation for the exact
-from the OmniAuth provider's documentation.
+implementation details.
- Stop GitLab:
+1. Stop GitLab:
-  ```shell
+   ```shell
-  sudo service gitlab stop
+   sudo service gitlab stop
-  ```
+   ```
- Add the gem to your [`Gemfile`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/Gemfile):
+1. Add the gem to your [`Gemfile`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/Gemfile):
-  ```shell
+   ```shell
-  gem "omniauth-your-auth-provider"
+   gem "omniauth-your-auth-provider"
-  ```
+   ```
- Install the new OmniAuth provider gem by running the following command:
+1. Install the new OmniAuth provider gem:
-  ```shell
+   ```shell
-  sudo -u git -H bundle install --without development test mysql --path vendor/bundle --no-deployment
+   sudo -u git -H bundle install --without development test mysql --path vendor/bundle --no-deployment
-  ```
+   ```
-  > These are the same commands you used during initial installation in the [Install Gems section](../install/installation.md#install-gems) with `--path vendor/bundle --no-deployment` instead of `--deployment`.
+   These commands are the same as the commands for [installing gems](../install/installation.md#install-gems)
+   during initial installation, with `--path vendor/bundle --no-deployment` instead of `--deployment`.
- Start GitLab:
+1. Start GitLab:
-  ```shell
+   ```shell
-  sudo service gitlab start
+   sudo service gitlab start
-  ```
+   ```
 ### Custom OmniAuth provider examples
-If you have successfully set up a provider that is not shipped with GitLab itself,
+If you have successfully set up a provider that is not already integrated with GitLab,
-please let us know.
+let us know.
-While we can't officially support every possible authentication mechanism out there,
+We can't officially support every possible authentication mechanism available,
-we'd like to at least help those with specific needs.
+but we'd like to at least help those with specific needs.
 ## Enable or disable sign-in with an OmniAuth provider without disabling import sources
-Administrators are able to enable or disable **Sign In** by using some OmniAuth providers.
+Administrators can enable or disable sign-in for some OmniAuth providers.
 NOTE:
-By default, **Sign In** is enabled by using all the OAuth Providers that have been configured in `config/gitlab.yml`.
+By default, sign-in is enabled for all the OAuth providers configured in `config/gitlab.yml`.
-To enable/disable an OmniAuth provider:
+To enable or disable an OmniAuth provider:
 1. On the top bar, select **Menu > Admin**.
-1. On the left sidebar, go to **Settings**.
+1. On the left sidebar, select **Settings**.
-1. Scroll to the **Sign-in Restrictions** section, and click **Expand**.
+1. Expand **Sign-in restrictions**.
-1. Below **Enabled OAuth Sign-In sources**, select the checkbox for each provider you want to enable or disable.
+1. In the **Enabled OAuth authentication sources** section, select or clear the checkbox for each provider you want to enable or disable.
-   ![Enabled OAuth Sign-In sources](img/enabled-oauth-sign-in-sources_v13_10.png)
 ## Disable OmniAuth
-Starting from version 11.4 of GitLab, OmniAuth is enabled by default. This only
+In GitLab 11.4 and later, OmniAuth is enabled by default. However, OmniAuth only works
-has an effect if providers are configured and [enabled](#enable-or-disable-sign-in-with-an-omniauth-provider-without-disabling-import-sources).
+if providers are configured and [enabled](#enable-or-disable-sign-in-with-an-omniauth-provider-without-disabling-import-sources).
 If OmniAuth providers are causing problems even when individually disabled, you
 can disable the entire OmniAuth subsystem by modifying the configuration file:
@@ -267,7 +265,8 @@ can disable the entire OmniAuth subsystem by modifying the configuration file:
 ## Keep OmniAuth user profiles up to date
-You can enable profile syncing from selected OmniAuth providers and for all or for specific user information.
+You can enable profile syncing from selected OmniAuth providers. You can sync
+all or specific user information.
 When authenticating using LDAP, the user's name and email are always synced.
@@ -288,13 +287,20 @@ When authenticating using LDAP, the user's name and email are always synced.
 ## Bypass two-factor authentication
-In GitLab 12.3 or later, users can sign in with specified providers _without_
+> Introduced in GitLab 12.3.
-using two factor authentication.
+With certain OmniAuth providers, users can sign in without
+using two-factor authentication.
+To bypass two-factor authentication, you can either:
-Define the allowed providers using an array (for example, `["twitter", 'google_oauth2']`),
+- Define the allowed providers using an array (for example, `['twitter', 'google_oauth2']`).
-or as `true` or `false` to allow all providers (or none). This option should be
+- Specify `true` to allow all providers, or `false` to allow none.
-configured only for providers which already have two factor authentication
-(default: false). This configuration doesn't apply to SAML.
+This option should be configured only for providers that already have
+two-factor authentication. The default is `false`.
+This configuration doesn't apply to SAML.
 - **For Omnibus package**
@@ -313,10 +319,10 @@ configured only for providers which already have two factor authentication
 You can add the `auto_sign_in_with_provider` setting to your GitLab
 configuration to redirect login requests to your OmniAuth provider for
-authentication. This removes the need to click a button before actually signing in.
+authentication. This removes the need to select the provider before signing in.
-For example, when using the [Azure v2 integration](azure.md#microsoft-azure-oauth-20-omniauth-provider-v2), set the following to enable auto
+For example, to enable automatic sign-in for the
-sign-in:
+[Azure v2 integration](azure.md#microsoft-azure-oauth-20-omniauth-provider-v2):
 - **For Omnibus package**
@@ -332,10 +338,10 @@ sign-in:
  ```
 Keep in mind that every sign-in attempt is redirected to the OmniAuth
-provider; you can't sign in using local credentials. Ensure at least
+provider, so you can't sign in using local credentials. Ensure at least
-one of the OmniAuth users has an administrator role.
+one of the OmniAuth users is an administrator.
-You may also bypass the auto sign in feature by browsing to
+You can also bypass automatic sign-in by browsing to
 `https://gitlab.example.com/users/sign_in?auto_sign_in=false`.
 ## Passwords for users created via OmniAuth
@@ -344,11 +350,12 @@ The [Generated passwords for users created through integrated authentication](..
 guide provides an overview about how GitLab generates and sets passwords for
 users created with OmniAuth.
-## Custom OmniAuth provider icon
+## Use a custom OmniAuth provider icon
 Most supported providers include a built-in icon for the rendered sign-in button.
-After you ensure your image is optimized for rendering at 64 x 64 pixels,
-you can override this icon in one of two ways:
+To use your own icon, ensure your image is optimized for rendering at 64 x 64 pixels,
+then override the icon in one of two ways:
 - **Provide a custom image path**:
@@ -359,11 +366,11 @@ you can override this icon in one of two ways:
     to your GitLab configuration file. Read [OpenID Connect OmniAuth provider](../administration/auth/oidc.md)
     for an example for the OpenID Connect provider.
- **Directly embed an image in a configuration file**: This example creates a Base64-encoded
+- **Embed an image directly in a configuration file**: This example creates a Base64-encoded
  version of your image you can serve through a
  [Data URL](https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/Data_URIs):
-  1. Encode your image file with GNU `base64` command (such as `base64 -w 0 <logo.png>`)
+  1. Encode your image file with a GNU `base64` command (such as `base64 -w 0 <logo.png>`)
     which returns a single-line `<base64-data>` string.
  1. Add the Base64-encoded data to a custom `icon` parameter in your GitLab
     configuration file: