DFN-AAI SAML Integration with git.nrw
On this page
git.nrw Service Provider
The EntityID of the git.nrw Service Provider (SP) is https://login.git.nrw/saml2sp/saml2_backend.xml.
To participate in the service, the Identity Provider (IdP) of the participating university must transmit specific attributes to the SP. These attributes are primarily used internally by GitLab to create accounts and keep account data up to date.
Requirements for Connecting the Participating University
Before connecting to the SP, it is mandatory that the participating university provide their framework parameters so they can be activated for the service. These are:
EntityIDof their production IdP- If desired: user groups (affiliation) that should be excluded from participating in gitlab.git.nrw.
- By default, the following are allowed: ‘member’, ‘staff’, ’employee’, ‘faculty’ and ‘student’.
The SNS-SP rejects all EntityIDs and affiliations that are not explicitly allowed to prevent unauthorized institutions from accessing the service. We will only add valid EntityID strings once they have been provided by you.
Similar restrictions apply to valid user groups or affiliations. If your institution decides not to allow certain user groups to participate, we can additionally filter them out on the git.nrw side.
Required Attributes for Registration and Login
The following attributes are mandatory in order to register and log in to gitlab.git.nrw:
| Attribute | Mandatory | Reference |
|---|---|---|
unique, persistent, personal ID: persistentID, or pairwiseID, or eduPersonTargetedID |
yes | DFN Docs |
mail |
yes | DFN Docs |
displayName |
yes | DFN Docs |
eduPersonScopedAffiliation |
yes | DFN Docs |
schacHomeOrganization |
yes | DFN Docs |
eduPersonEntitlement |
optional | DFN Docs |
givenName |
optional | DFN Docs |
sn |
optional | DFN Docs |
These attributes must be transmitted by the IdP of the participating university to the git.nrw SP. Without these parameters it is not possible to log in to gitlab.git.nrw.
Participation of the university’s IdP in IDM.nrw and the resulting DFN-AAI entity category is generally sufficient, since the attributes mentioned above are normally transmitted by default.
Use of Attributes on the git.nrw Side
The attributes listed above are processed as follows:
ID (‘pairwiseID’ or ‘subjectID’ or ‘persistentID’ or ’eduPersonTargetedID’)
Used to associate the authenticating user with the GitLab account.
Email Address (‘mail’)
mail is used to contact account holders — from the GitLab service — for various purposes (notifications, general information, status updates, security warnings, etc.).
The email address can be used to identify the corresponding GitLab account if no previous SAML login with this email (+ID) has taken place.
Internally in GitLab, the email address associated with the GitLab account can later be changed by the user at will.
Display Name (‘displayName’)
The displayName is shown as the “Full Name” within GitLab for the corresponding account and cannot be changed by the user.
Affiliation (’eduPersonScopedAffiliation’)
Affiliation serves to verify basic eligibility to participate, and therefore access to GitLab (at least ‘member’ required), as well as optional assignment to specific GitLab internal groups based on affiliations (member/employee/staff/faculty/student) and/or related permissions.
Home Organization (‘schacHomeOrganization’)
Used to determine the origin of a user account, as well as optional assignment to organization-specific internal groups and internal access rights.
Permissions (’eduPersonEntitlement’)
Used to assign rights and roles based on defined entitlements, both for administrative management by universities and to derive GitLab-internal group memberships or extended permissions.
The exact entitlement values to be transmitted and used are still to be defined.
At minimum, the entitlements defined by idm.nrw are expected to be applied.
Rights Management with eduPersonEntitlement
If predefined eduPersonEntitlement strings are transmitted by the local IdPs during SAML login, specific permissions in GitLab or in a connected management tool can be derived from them.
Rights management with entitlements and a remote management tool are currently still in planning or development. Therefore, discrete entitlement strings have not yet been established.