Document TLS auth for external authorization

d8812e58 · Bob Van Landuyt · 15c4ebf9 · d8812e58 · d8812e58 · 15c4ebf9
Commit d8812e58 authored Mar 21, 2018 by Bob Van Landuyt
3 changed files
--- a/doc/api/settings.md
+++ b/doc/api/settings.md
@@ -173,7 +173,9 @@ PUT /application/settings
 | `external_authorization_service_enabled` | boolean | no | Enable using an external authorization service for accessing projects |
 | `external_authorization_service_url` | string | no | URL to which authorization requests will be directed |
 | `external_authorization_service_default_label` | string | no | The default classification label to use when requesting authorization and no classification label has been specified on the project |
-| `external_authorization_service_timeout` | float | no | The timeout to enforce when performing requests to the external authorization service |
+| `external_auth_client_cert` | string | no | The certificate to use to authenticate with the external authorization service |
+| `external_auth_client_key` | string | no | Private key for the certificate when authentication is required for the external authorization service, this is encrypted when stored |
+| `external_auth_client_key_pass` | string | no | Passphrase to use for the private key when authenticating with the external service this is encrypted when stored |

 ```bash
 curl --request PUT --header "PRIVATE-TOKEN: 9koXpg98eAheJpvBs5tK" https://gitlab.example.com/api/v4/application/settings?signup_enabled=false&default_project_visibility=internal

--- a/doc/user/admin_area/settings/external_authorization.md
+++ b/doc/user/admin_area/settings/external_authorization.md
@@ -43,9 +43,21 @@ The available required properties are:
 - **External authorization request timeout**: The timeout after which an
  authorization request is aborted. When a request times out, access is denied
  to the user.
+- **Client authentication certificate**: The certificate to use to authenticate
+  with the external authorization service.
+- **Client authentication key**: Private key for the certificate when
+  authentication is required for the external authorization service, this is
+  encrypted when stored.
+- **Client authentication key password**: Passphrase to use for the private key when authenticating with the external service this is encrypted when stored.
 - **Default classification label**: The classification label to use when
  requesting authorization if no specific label is defined on the project

+When using TLS Authentication with a self signed certificate, the CA certificate
+needs to be trused by the openssl installation. When using GitLab installed using
+Omnibus, learn to install a custom CA in the
+[omnibus documentation][omnibus-ssl-docs]. Alternatively learn where to install
+custom certificates using `openssl version -d`.
+
 ## How it works

 When GitLab requests access, it will send a JSON POST request to the external
@@ -90,3 +102,5 @@ label defined in the [global settings](#configuration) will be used.
 The label will be shown on all project pages in the upper right corner.

 ![classification label on project page](img/classification_label_on_project_page.png)
+
+[omnibus-ssl-docs]: https://docs.gitlab.com/omnibus/settings/ssl.html
--- a/doc/user/admin_area/settings/img/external_authorization_service_settings.png
+++ b/doc/user/admin_area/settings/img/external_authorization_service_settings.png