diff --git a/website/integrations/services/gitlab/index.md b/website/integrations/services/gitlab/index.md index 5460194013e3..9ad16bee7684 100644 --- a/website/integrations/services/gitlab/index.md +++ b/website/integrations/services/gitlab/index.md @@ -10,7 +10,21 @@ title: GitLab > > -- https://about.gitlab.com/what-is-gitlab/ -## Preparation +:::info +In case something goes wrong with the configuration or you need to log in as admin, you can use the URL `https://gitlab.company/users/sign_in?auto_sign_in=false` to log in using the built-in authentication. +::: + +## Authentication + +There are 2 ways to configure single sign on (SSO) for GitLab: + +- [via SAML](#saml-auth) +- [via OIDC Connect (OAuth)](#openid-connect-auth) + + +### SAML auth + +#### Preparation The following placeholders will be used: @@ -26,11 +40,13 @@ Create an application in authentik and note the slug, as this will be used later Under _Advanced protocol settings_, set a certificate for _Signing Certificate_. -## GitLab Configuration +#### GitLab Configuration + -Paste the following block in your `gitlab.rb` file, after replacing the placeholder values from above. The file is located in `/etc/gitlab`. +Paste the following block in your `/etc/gitlab/gitlab.rb` file, after replacing the placeholder values from above. To get the value for `idp_cert_fingerprint`, navigate to the authentik Admin interface, expand the **System** section and select **Certificates**. Then, expand the selected certificate and copy the SHA1 Certificate Fingerprint. + ```ruby gitlab_rails['omniauth_enabled'] = true gitlab_rails['omniauth_allow_single_sign_on'] = ['saml'] @@ -62,3 +78,61 @@ gitlab_rails['omniauth_providers'] = [ ``` Afterwards, either run `gitlab-ctl reconfigure` if you're running GitLab Omnibus, or restart the container if you're using the container. + +### OpenID Connect auth + +#### Preparation + +The following placeholders will be used: + +- `gitlab.company` is the FQDN of the GitLab Install +- `authentik.company` is the FQDN of the authentik Install + +Create an application in authentik and note the slug, as this will be used later. Create a OAuth2 Provider with the following parameters: + +- Client type: `Confidential` +- Redirect URI/Origins: `https://gitlab.company/users/auth/openid_connect/callback` +- Scopes: `email`, `openid`, `profile` +- Subject mode: `Based on the Users's Email` +- Include claims in id_token: `True` + +Under _Advanced protocol settings_, set a certificate for _Signing Certificate_. + +#### GitLab Configuration + +Paste the following block in your `/etc/gitlab/gitlab.rb` file, after replacing the placeholder values from above. + +```ruby +gitlab_rails['omniauth_allow_single_sign_on'] = ['openid_connect'] +gitlab_rails['omniauth_sync_email_from_provider'] = 'openid_connect' +gitlab_rails['omniauth_sync_profile_from_provider'] = ['openid_connect'] +gitlab_rails['omniauth_sync_profile_attributes'] = ['email'] +gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'openid_connect' +gitlab_rails['omniauth_block_auto_created_users'] = false +gitlab_rails['omniauth_auto_link_saml_user'] = true +gitlab_rails['omniauth_auto_link_user'] = ["openid_connect"] +gitlab_rails['omniauth_providers'] = [ + { + name: 'openid_connect', + label: 'My Company OIDC Login', + args: { + name: 'openid_connect', + scope: ['openid','profile','email'], + response_type: 'code', + issuer: 'https://authentik.company/application/o/gitlab-slug/', + discovery: true, + client_auth_method: 'query', + uid_field: 'preferred_username', + send_scope_to_token_endpoint: 'true', + pkce: true, + client_options: { + identifier: '${OIDC_CLIENT_ID}', + secret: '${OIDC_CLIENT_SECRET}', + redirect_uri: 'https://gitlab.company/users/auth/openid_connect/callback' + } + } + } +] +``` + +For further GitLab provider args have a look at the specific GitLab docs at https://docs.gitlab.com/ee/integration/openid_connect_provider.html