habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

website/integrations: gitlab: add oidc guide (#9740)

Browse Source 
* docs: add gitlab oidc guide

* docs: Formated gitlab integration guide

* docs: simplify gitlab.rb reference 

https://github.com/goauthentik/authentik/pull/9740#discussion_r1601871402

Signed-off-by: Tim <bleimehl@gmail.com>

* Update website/integrations/services/gitlab/index.md

Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
Signed-off-by: Tim <bleimehl@gmail.com>

* Update website/integrations/services/gitlab/index.md

Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
Signed-off-by: Tim <bleimehl@gmail.com>

* order chapter toc

---------

Signed-off-by: Tim <bleimehl@gmail.com>
Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
This commit is contained in:
Tim
2024-07-03 23:41:37 +02:00
committed by GitHub
parent 6f31c802c2
commit 2fc0c6e0ad
1 changed files with 77 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

80
website/integrations/services/gitlab/index.md
View File

@ -10,7 +10,21 @@ title: GitLab
> >
> -- https://about.gitlab.com/what-is-gitlab/ > -- https://about.gitlab.com/what-is-gitlab/
## Preparation :::info
In case something goes wrong with the configuration or you need to log in as admin, you can use the URL `https://gitlab.company/users/sign_in?auto_sign_in=false` to log in using the built-in authentication.
:::
## Authentication
There are 2 ways to configure single sign on (SSO) for GitLab:
- [via SAML](#saml-auth)
- [via OIDC Connect (OAuth)](#openid-connect-auth)
### SAML auth
#### Preparation
The following placeholders will be used: The following placeholders will be used:
@ -26,11 +40,13 @@ Create an application in authentik and note the slug, as this will be used later
Under _Advanced protocol settings_, set a certificate for _Signing Certificate_. Under _Advanced protocol settings_, set a certificate for _Signing Certificate_.
## GitLab Configuration #### GitLab Configuration
Paste the following block in your `gitlab.rb` file, after replacing the placeholder values from above. The file is located in `/etc/gitlab`.
Paste the following block in your `/etc/gitlab/gitlab.rb` file, after replacing the placeholder values from above.
To get the value for `idp_cert_fingerprint`, navigate to the authentik Admin interface, expand the **System** section and select **Certificates**. Then, expand the selected certificate and copy the SHA1 Certificate Fingerprint. To get the value for `idp_cert_fingerprint`, navigate to the authentik Admin interface, expand the **System** section and select **Certificates**. Then, expand the selected certificate and copy the SHA1 Certificate Fingerprint.
```ruby ```ruby
gitlab_rails['omniauth_enabled'] = true gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['saml'] gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
@ -62,3 +78,61 @@ gitlab_rails['omniauth_providers'] = [
``` ```
Afterwards, either run `gitlab-ctl reconfigure` if you're running GitLab Omnibus, or restart the container if you're using the container. Afterwards, either run `gitlab-ctl reconfigure` if you're running GitLab Omnibus, or restart the container if you're using the container.
### OpenID Connect auth
#### Preparation
The following placeholders will be used:
- `gitlab.company` is the FQDN of the GitLab Install
- `authentik.company` is the FQDN of the authentik Install
Create an application in authentik and note the slug, as this will be used later. Create a OAuth2 Provider with the following parameters:
- Client type: `Confidential`
- Redirect URI/Origins: `https://gitlab.company/users/auth/openid_connect/callback`
- Scopes: `email`, `openid`, `profile`
- Subject mode: `Based on the Users's Email`
- Include claims in id_token: `True`
Under _Advanced protocol settings_, set a certificate for _Signing Certificate_.
#### GitLab Configuration
Paste the following block in your `/etc/gitlab/gitlab.rb` file, after replacing the placeholder values from above.
```ruby
gitlab_rails['omniauth_allow_single_sign_on'] = ['openid_connect']
gitlab_rails['omniauth_sync_email_from_provider'] = 'openid_connect'
gitlab_rails['omniauth_sync_profile_from_provider'] = ['openid_connect']
gitlab_rails['omniauth_sync_profile_attributes'] = ['email']
gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'openid_connect'
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_auto_link_saml_user'] = true
gitlab_rails['omniauth_auto_link_user'] = ["openid_connect"]
gitlab_rails['omniauth_providers'] = [
{
name: 'openid_connect',
label: 'My Company OIDC Login',
args: {
name: 'openid_connect',
scope: ['openid','profile','email'],
response_type: 'code',
issuer: 'https://authentik.company/application/o/gitlab-slug/',
discovery: true,
client_auth_method: 'query',
uid_field: 'preferred_username',
send_scope_to_token_endpoint: 'true',
pkce: true,
client_options: {
identifier: '${OIDC_CLIENT_ID}',
secret: '${OIDC_CLIENT_SECRET}',
redirect_uri: 'https://gitlab.company/users/auth/openid_connect/callback'
}
}
}
]
```
For further GitLab provider args have a look at the specific GitLab docs at https://docs.gitlab.com/ee/integration/openid_connect_provider.html