upt playbook

bookstack/docker-compose.yml

@@ -14,6 +14,35 @@ services:
       DB_USER: bookstack
       DB_PASS: /run/secrets/db_password
       DB_DATABASE: bookstackapp
+      # Set authentication method to be saml2
+      AUTH_METHOD: saml2
+      # Control if BookStack automatically initiates login via your SAML system if it's the only authentication method.
+      # Prevents the need for the user to click the "Login with x" button on the login page.
+      # Setting this to true enables auto-initiation.
+      AUTH_AUTO_INITIATE: true
+      # Set the display name to be shown on the login button.
+      # (Login with <name>)
+      SAML2_NAME: authentik
+      # Name of the attribute which provides the user's email address
+      SAML2_EMAIL_ATTRIBUTE: email
+      # Name of the attribute to use as an ID for the SAML user.
+      SAML2_EXTERNAL_ID_ATTRIBUTE: uid
+      # Enable SAML group sync.
+      SAML2_USER_TO_GROUPS: true
+      # Set the attribute from which BookStack will read groups names from.
+      # You will need to rename your roles in Bookstack to match your groups in authentik.
+      SAML2_GROUP_ATTRIBUTE: http://schemas.xmlsoap.org/claims/Group
+      # Name of the attribute(s) to use for the user's display name
+      # Can have multiple attributes listed, separated with a '|' in which
+      # case those values will be joined with a space.
+      # Example: SAML2_DISPLAY_NAME_ATTRIBUTES=firstName|lastName
+      # Defaults to the ID value if not found.
+      SAML2_DISPLAY_NAME_ATTRIBUTES: http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname
+      # Identity Provider entityID URL
+      SAML2_IDP_ENTITYID: https://auth.sectorq.eu/api/v3/providers/saml/10/metadata/?download
+      # Auto-load metadata from the IDP
+      # Setting this to true negates the need to specify the next three options
+      SAML2_AUTOLOAD_METADATA: true
     volumes:
       - /share/docker_data/bookstrap/bookstack_app_data:/config
     ports:

gitlab/docker-compose.yml

@@ -11,28 +11,6 @@ services:
         external_url 'https://gitlab.sectorq.eu'
         nginx['listen_port'] = 80
         nginx['listen_https'] = false
-        gitlab_rails['ldap_enabled'] = true
-        gitlab_rails['ldap_servers'] = {
-          'main' => {
-            'label' => 'LDAP',
-            'host' =>  '192.168.77.106',
-            'port' => 1389,
-            'uid' => 'sAMAccountName',
-            'base' => 'dc=sectorq,dc=eu'
-            'bind_dn' => 'CN=admin,DC=sectorq,DC=eu',
-            'password' => '$LDAP_ADMIN_PASSWORD',
-            'encryption' => 'plain',
-            'verify_certificates' => false,
-            'timeout' => 10,
-            'active_directory' => false,
-            'user_filter' => '(memberOf=cn=gitlab,ou=group,dc=sectorq,dc=eu)',
-            'base' => 'ou=people,dc=sectorq,dc=eu',
-            'lowercase_usernames' => 'false',
-            'retry_empty_result_with_codes' => [80],
-            'allow_username_or_email_login' => false,
-            'block_auto_created_users' => false
-          }
-        },
         gitlab_rails['omniauth_enabled'] = true
         gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
         gitlab_rails['omniauth_sync_email_from_provider'] = 'saml'
@@ -48,7 +26,7 @@ services:
               assertion_consumer_service_url: 'https://gitlab.sectorq.eu/users/auth/saml/callback',
               # Shown when navigating to certificates in authentik
               idp_cert_fingerprint: '1b:af:1e:f8:3f:b1:57:e6:b0:62:f6:59:25:48:1e:9c:c3:9b:36:9e',
-              idp_sso_target_url: 'https://auth.sectorq.eu/application/saml/<authentik application slug>/sso/binding/redirect/',
+              idp_sso_target_url: 'https://auth.sectorq.eu/application/saml/gitlab/sso/binding/redirect/',
               issuer: 'https://gitlab.sectorq.eu',
               name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
               attribute_statements: {
@@ -60,6 +38,29 @@ services:
             label: 'authentik'
           }
         ]
+        # gitlab_rails['ldap_enabled'] = true
+        # gitlab_rails['ldap_servers'] = {
+        #   'main' => {
+        #     'label' => 'LDAP',
+        #     'host' =>  '192.168.77.106',
+        #     'port' => 1389,
+        #     'uid' => 'sAMAccountName',
+        #     'base' => 'dc=sectorq,dc=eu'
+        #     'bind_dn' => 'CN=admin,DC=sectorq,DC=eu',
+        #     'password' => '$LDAP_ADMIN_PASSWORD',
+        #     'encryption' => 'plain',
+        #     'verify_certificates' => false,
+        #     'timeout' => 10,
+        #     'active_directory' => false,
+        #     'user_filter' => '(memberOf=cn=gitlab,ou=group,dc=sectorq,dc=eu)',
+        #     'base' => 'ou=people,dc=sectorq,dc=eu',
+        #     'lowercase_usernames' => 'false',
+        #     'retry_empty_result_with_codes' => [80],
+        #     'allow_username_or_email_login' => false,
+        #     'block_auto_created_users' => false
+        #   }
+        # }
+        
     hostname: 'gitlab.sectorq.eu'
     ports:
       - '8780:80'