website/integrations: gitlab: add oidc guide (#9740)

* docs: add gitlab oidc guide

* docs: Formated gitlab integration guide

* docs: simplify gitlab.rb reference 

https://github.com/goauthentik/authentik/pull/9740#discussion_r1601871402

Signed-off-by: Tim <bleimehl@gmail.com>

* Update website/integrations/services/gitlab/index.md

Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
Signed-off-by: Tim <bleimehl@gmail.com>

* Update website/integrations/services/gitlab/index.md

Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
Signed-off-by: Tim <bleimehl@gmail.com>

* order chapter toc

---------

Signed-off-by: Tim <bleimehl@gmail.com>
Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>

website/integrations/services/gitlab/index.md

@@ -10,7 +10,21 @@ title: GitLab
 >
 > -- https://about.gitlab.com/what-is-gitlab/
 
-## Preparation
+:::info
+In case something goes wrong with the configuration or you need to log in as admin, you can use the URL `https://gitlab.company/users/sign_in?auto_sign_in=false` to log in using the built-in authentication.
+:::
+
+## Authentication
+
+There are 2 ways to configure single sign on (SSO) for GitLab:
+
+-   [via SAML](#saml-auth)
+-   [via OIDC Connect (OAuth)](#openid-connect-auth)
+
+
+### SAML auth
+
+#### Preparation
 
 The following placeholders will be used:
 
@@ -26,11 +40,13 @@ Create an application in authentik and note the slug, as this will be used later
 
 Under _Advanced protocol settings_, set a certificate for _Signing Certificate_.
 
-## GitLab Configuration
+#### GitLab Configuration
 
-Paste the following block in your `gitlab.rb` file, after replacing the placeholder values from above. The file is located in `/etc/gitlab`.
+
+Paste the following block in your `/etc/gitlab/gitlab.rb` file, after replacing the placeholder values from above.
 To get the value for `idp_cert_fingerprint`, navigate to the authentik Admin interface, expand the **System** section and select **Certificates**. Then, expand the selected certificate and copy the SHA1 Certificate Fingerprint.
 
+
 ```ruby
 gitlab_rails['omniauth_enabled'] = true
 gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
@@ -62,3 +78,61 @@ gitlab_rails['omniauth_providers'] = [
 ```
 
 Afterwards, either run `gitlab-ctl reconfigure` if you're running GitLab Omnibus, or restart the container if you're using the container.
+
+### OpenID Connect auth
+
+#### Preparation
+
+The following placeholders will be used:
+
+-   `gitlab.company` is the FQDN of the GitLab Install
+-   `authentik.company` is the FQDN of the authentik Install
+
+Create an application in authentik and note the slug, as this will be used later. Create a OAuth2 Provider with the following parameters:
+
+-   Client type: `Confidential`
+-   Redirect URI/Origins: `https://gitlab.company/users/auth/openid_connect/callback`
+-   Scopes: `email`, `openid`, `profile`
+-   Subject mode: `Based on the Users's Email`
+-   Include claims in id_token: `True`
+
+Under _Advanced protocol settings_, set a certificate for _Signing Certificate_.
+
+#### GitLab Configuration
+
+Paste the following block in your `/etc/gitlab/gitlab.rb` file, after replacing the placeholder values from above.
+
+```ruby
+gitlab_rails['omniauth_allow_single_sign_on'] = ['openid_connect']
+gitlab_rails['omniauth_sync_email_from_provider'] = 'openid_connect'
+gitlab_rails['omniauth_sync_profile_from_provider'] = ['openid_connect']
+gitlab_rails['omniauth_sync_profile_attributes'] = ['email']
+gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'openid_connect'
+gitlab_rails['omniauth_block_auto_created_users'] = false
+gitlab_rails['omniauth_auto_link_saml_user'] = true
+gitlab_rails['omniauth_auto_link_user'] = ["openid_connect"]
+gitlab_rails['omniauth_providers'] = [
+  {
+    name: 'openid_connect',
+    label: 'My Company OIDC Login',
+    args: {
+      name: 'openid_connect',
+      scope: ['openid','profile','email'],
+      response_type: 'code',
+      issuer: 'https://authentik.company/application/o/gitlab-slug/',
+      discovery: true,
+      client_auth_method: 'query',
+      uid_field: 'preferred_username',
+      send_scope_to_token_endpoint: 'true',
+      pkce: true,
+      client_options: {
+        identifier: '${OIDC_CLIENT_ID}',
+        secret: '${OIDC_CLIENT_SECRET}',
+        redirect_uri: 'https://gitlab.company/users/auth/openid_connect/callback'
+      }
+    }
+  }
+]
+```
+
+For further GitLab provider args have a look at the specific GitLab docs at https://docs.gitlab.com/ee/integration/openid_connect_provider.html