redmine sso (with google workspace)

레드마인 접속 시 Google workspace 계정을 통해 접속하기

1. redmine oauth plugin 설치

# cd /var/www/redmine/plugin/
# git clone ttps://github.com/chrodriguez/redmine_omniauth_saml.git
# cd /var/www/redmine/plugin/redmine_omniauth_saml
# cd /var/www/redmine

[root@localhost redmine]# bundle install
Don't run Bundler as root. Bundler can ask for sudo if it is needed, and installing your bundle as root will break this application for all non-root users on this
machine.
/usr/share/gems/gems/psych-3.1.0/lib/psych.rb:233: warning: already initialized constant Psych::LIBYAML_VERSION
/usr/share/ruby/psych.rb:233: warning: previous definition of LIBYAML_VERSION was here
/usr/share/gems/gems/psych-3.1.0/lib/psych.rb:235: warning: already initialized constant Psych::NOT_GIVEN
/usr/share/ruby/psych.rb:235: warning: previous definition of NOT_GIVEN was here
Fetching gem metadata from https://rubygems.org/.........
Resolving dependencies.......
Using rake 13.0.6
Using concurrent-ruby 1.1.10
Using minitest 5.15.0
Using thread_safe 0.3.6
Using builder 3.2.4
Using erubi 1.10.0
Using racc 1.6.0
Using crass 1.0.6
Using rack 2.2.3
Using nio4r 2.5.8
Using websocket-extensions 0.1.5
Using mini_mime 1.0.3
Using method_source 1.0.0
Using thor 1.2.1
Using arel 9.0.0
Using marcel 1.0.2
Using public_suffix 4.0.7
Using bundler 2.3.12
Using chunky_png 1.4.0
Using httpclient 2.8.3
Using systemu 2.6.5
Using mini_magick 4.11.0
Using mysql2 0.5.4
Using net-ldap 0.17.0
Using ruby-openid 2.9.2
Using rbpdf-font 1.19.1
Using redcarpet 3.5.1
Using rotp 6.2.0
Using rouge 3.26.1
Using rqrcode_core 1.2.0
Using rubyzip 2.3.2
Using i18n 1.8.11
Using tzinfo 1.2.9
Using nokogiri 1.11.7 (x86_64-linux)
Using rack-test 1.1.0
Using websocket-driver 0.7.5
Using mail 2.7.1
Using addressable 2.8.0
Using sprockets 4.0.3
Using request_store 1.5.1
Using hashie 5.0.0
Using csv 3.1.9
Using htmlentities 4.3.4
Using loofah 2.17.0
Using css_parser 1.11.0
Using macaddr 1.7.2
Using omniauth 1.9.1
Using rack-openid 1.4.2
Using rqrcode 2.1.1
Using activesupport 5.2.6
Using rails-html-sanitizer 1.4.2
Using uuid 2.3.9
Using rails-dom-testing 2.0.3
Using roadie 4.0.0
Using activemodel 5.2.6
Using actionview 5.2.6
Using ruby-saml 0.9.4
Using globalid 1.0.0
Using rbpdf 1.20.1
Using actionpack 5.2.6
Using activejob 5.2.6
Using activerecord 5.2.6
Fetching omniauth-saml-cespi 1.3.1
Using actioncable 5.2.6
Using sprockets-rails 3.4.2
Using actionmailer 5.2.6
Using activestorage 5.2.6
Using railties 5.2.6
Using actionpack-xml_parser 2.0.1
Using roadie-rails 2.2.0
Using rails 5.2.6
Installing omniauth-saml-cespi 1.3.1
Bundle complete! 40 Gemfile dependencies, 71 gems now installed.
Gems in the groups 'development' and 'test' were not installed.
Use `bundle info [gemname]` to see where a bundled gem is installed.

[root@localhost redmine]# RAILS_ENV=production bundle exec rake redmine:plugins
[root@localhost redmine]# systemctl restart htpd

[root@localhost redmine]# cp plugins/redmine_omniauth_saml/sample-saml-initializers.rb config/initializers/saml.rb

[root@localhost redmine]# vim /var/www/redmine/config/initializers/saml.rb

Redmine::OmniAuthSAML::Base.configure do |config|
  config.saml = {
    :assertion_consumer_service_url => "https://pms.abc.com/auth/saml/callback", # OmniAuth callback URL
    :issuer                         => "https://pms.abc.com",      # The issuer name / entity ID. Must be an URI as per SAML 2.0 spec.
    :single_logout_service_url      => "https://pms.abc.com/auth/saml/sls",      # The SLS (logout) callback URL
    :idp_sso_target_url             => "https://accounts.google.com/o/saml2/idp?idpid=xxxxxx", # SSO login endpoint
    :idp_cert_fingerprint           => "B5:53:01:3D:59:04:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX", # SSO ssl certificate fingerprint
    :name_identifier_format         => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
    :idp_slo_target_url             => "https://pms.abc.com/auth/saml/sls",
    :name_identifier_value          => "mail", # Which redmine field is used as name_identifier_value for SAML logout
    :attribute_mapping              => {
    # How will we map attributes from SSO to redmine attributes
      :login      => 'extra.raw_info.email',
      :mail       => 'extra.raw_info.email',
      :firstname  => 'extra.raw_info.firstname',
      :lastname   => 'extra.raw_info.lasttname'
    }
  }

  config.on_login do |omniauth_hash, user|
    # Implement any hook you want here
  end
end
 

[root@localhost redmine]# systemctl restart htpd

플러그인은 위와 같이 세팅하여 마무리 한다.
다음은 Google Workspace 세팅 부분이다.

Google Workspace  에 접속 후 
앱 --> 웹 및 모바일 웹 ---> 앱 추가 --> 맞춤 SAML 추가

 

 

 

 

이렇게 해서 Google workspace 세팅이 마무리 되었다.

Redmine 접속 하여 관리 --> 플러그인 --> Redmine Omniauth SAML plugin 설정

이제 Redmine 을 접속해 보면 아래와 같이 링크가 생긴 것을 확인 할  수 있고,

저 링크를 클릭하면 아래와 같이 내 계정의 내 페이지로 접속 할 수 있다.

 

 

참고 ) 
1. Redmine OmniAuth SAML plugin

https://github.com/chrodriguez/redmine_omniauth_saml

GitHub - chrodriguez/redmine_omniauth_saml: Plugins that adds SAML authentication support for "Redmine"

2. google workspace 와 redmine 연동을 위한 sso 설정

https://coder-question-ko.com/cq-ko-blog/109334
https://www.geekfeed.co.jp/geekblog/google-workspace-redmine-saml-sso

Google Workspace(G Suite)とredmine間でのsaml認証によるシングルサインオンの実現手順 | ソフトウェア

G Suite로 Redmine의 SAML SSO를 진행해봤습니다. - coder-question-ko.com

3. 나만의 맞춤 SAML 애플리케이션 설정하기

https://support.google.com/a/answer/6087519?hl=ko

4. fingerprint

​​​​​​​https://www.samltool.com/fingerprint.php

SAML X.509 Certificate Fingerprint - Online SHA1 Decoder | SAMLTool.com