Skip to content

G
gitlab-ce
Commit fa711cfd authored by Mike Jang's avatar Mike Jang
Browse files
Options

Merge branch '225503-document-omniauth-social-sign-in-password-security' into 'master' 

Resolve "Document OmniAuth/Social sign-in password security"

See merge request gitlab-org/gitlab!39413
parents 23e8e42f 16971745
Hide whitespace changes
Inline Side-by-side
Showing with 31 additions and 0 deletions
doc/administration/auth/smartcard.md
View file @ fa711cfd
...@@ -310,6 +310,10 @@ attribute. As a prerequisite, you must use an LDAP server that: ...@@ -310,6 +310,10 @@ attribute. As a prerequisite, you must use an LDAP server that:
1. Save the file and [restart](../restart_gitlab.md#installations-from-source) 1. Save the file and [restart](../restart_gitlab.md#installations-from-source)
GitLab for the changes to take effect. GitLab for the changes to take effect.
## Passwords for users created via smartcard authentication
The [Generated passwords for users created through integrated authentication](../../security/passwords_for_integrated_authentication_methods.md) guide provides an overview of how GitLab generates and sets passwords for users created via smartcard authentication.
<!-- ## Troubleshooting <!-- ## Troubleshooting
Include any troubleshooting steps that you can foresee. If you know beforehand what issues Include any troubleshooting steps that you can foresee. If you know beforehand what issues
......
doc/integration/omniauth.md
View file @ fa711cfd
...@@ -324,3 +324,7 @@ of the OmniAuth users has admin permissions. ...@@ -324,3 +324,7 @@ of the OmniAuth users has admin permissions.
You may also bypass the auto signin feature by browsing to You may also bypass the auto signin feature by browsing to
`https://gitlab.example.com/users/sign_in?auto_sign_in=false`. `https://gitlab.example.com/users/sign_in?auto_sign_in=false`.
## Passwords for users created via OmniAuth
The [Generated passwords for users created through integrated authentication](../security/passwords_for_integrated_authentication_methods.md) guide provides an overview of how GitLab generates and sets passwords for users created via OmniAuth.
doc/integration/saml.md
View file @ fa711cfd
...@@ -584,6 +584,10 @@ These attributes define the SAML user. If users can change these attributes, the ...@@ -584,6 +584,10 @@ These attributes define the SAML user. If users can change these attributes, the
Refer to the documentation for your SAML Identity Provider for information on how to fix these attributes. Refer to the documentation for your SAML Identity Provider for information on how to fix these attributes.
## Passwords for users created via SAML
The [Generated passwords for users created through integrated authentication](../security/passwords_for_integrated_authentication_methods.md) guide provides an overview of how GitLab generates and sets passwords for users created via SAML.
## Troubleshooting ## Troubleshooting
You can find the base64-encoded SAML Response in the [`production_json.log`](../administration/logs.md#production_jsonlog). You can find the base64-encoded SAML Response in the [`production_json.log`](../administration/logs.md#production_jsonlog).
......
doc/security/README.md
View file @ fa711cfd
...@@ -7,6 +7,7 @@ type: index ...@@ -7,6 +7,7 @@ type: index
- [Password storage](password_storage.md) - [Password storage](password_storage.md)
- [Password length limits](password_length_limits.md) - [Password length limits](password_length_limits.md)
- [Generated passwords for users created through integrated authentication](passwords_for_integrated_authentication_methods.md)
- [Restrict SSH key technologies and minimum length](ssh_keys_restrictions.md) - [Restrict SSH key technologies and minimum length](ssh_keys_restrictions.md)
- [Rate limits](rate_limits.md) - [Rate limits](rate_limits.md)
- [Webhooks and insecure internal web services](webhooks.md) - [Webhooks and insecure internal web services](webhooks.md)
......
doc/security/passwords_for_integrated_authentication_methods.md 0 → 100644
View file @ fa711cfd
---
type: reference
---
# Generated passwords for users created through integrated authentication
GitLab allows users to set up accounts through integration with external [authentication and authorization providers](../administration/auth/README.md).
These authentication methods do not require the user to explicitly create a password for their accounts.
However, to maintain data consistency, GitLab requires passwords for all user accounts.
For such accounts, we use the [`friendly_token`](https://github.com/heartcombo/devise/blob/f26e05c20079c9acded3c0ee16da0df435a28997/lib/devise.rb#L492) method provided by the Devise gem to generate a random, unique and secure password and sets it as the account password during sign up.
The length of the generated password is the set based on the value of [maximum password length](password_length_limits.md#modify-maximum-password-length-using-configuration-file) as set in the Devise configuation. The default value is 128 characters.
doc/user/group/saml_sso/index.md
View file @ fa711cfd
...@@ -301,6 +301,10 @@ Group SAML on a self-managed instance is limited when compared to the recommende ...@@ -301,6 +301,10 @@ Group SAML on a self-managed instance is limited when compared to the recommende
- { name: 'group_saml' } - { name: 'group_saml' }
``` ```
## Passwords for users created via SAML SSO for Groups
The [Generated passwords for users created through integrated authentication](../../../security/passwords_for_integrated_authentication_methods.md) guide provides an overview of how GitLab generates and sets passwords for users created via SAML SSO for Groups.
## Troubleshooting ## Troubleshooting
This section contains possible solutions for problems you might encounter. This section contains possible solutions for problems you might encounter.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7