Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
documentation:latest:applications:gitlab [2019/05/19 12:58]
maxbes [SAML]
documentation:latest:applications:gitlab [2019/08/29 17:12] (current)
Line 83: Line 83:
   * groups => groups   * groups => groups
  
 +===== OpenID Connect =====
  
 +**Alternatively** to SAML, you can choose to configure Gitlab to use OpenID Connect.
 +
 +==== Gitlab configuration ====
 +
 +In ''/​etc/​gitlab/​gitlab.rb''​
 +
 +<file ruby>
 +...
 +gitlab_rails['​omniauth_allow_single_sign_on'​] = ['​openid_connect'​]
 +gitlab_rails['​omniauth_block_auto_created_users'​] = false
 +
 +gitlab_rails['​omniauth_providers'​] = [
 +  { '​name'​ => '​openid_connect',​
 +    '​label'​ => '​LemonLDAP::​NG',​
 +    '​args'​ => {
 +      '​name'​ => '​openid_connect',​
 +      '​issuer'​ => '​https://​auth.example.com',​
 +      '​scope'​ => ['​openid',​ '​profile',​ '​email'​],​
 +      '​response_type'​ => '​code',​
 +      '​client_auth_method'​ => '​client_secret_post',​
 +      '​discovery'​ => true,
 +      '​uid_field'​ => '​sub',​
 +      '​client_options'​ => {
 +        '​redirect_uri'​ => '​http://​gitlab.example.com/​users/​auth/​openid_connect/​callback',​
 +        '​identifier'​ => '​LEMONLDAP_CLIENT_ID',​
 +        '​secret'​ => '​LEMONLDAP_CLIENT_SECRET',​
 +      }
 +    }
 +  }
 +];
 +
 +...
 +</​file>​
 +
 +==== LL::NG configuration ====
 +
 +Add an OpenID Connect RP to LemonLDAP::​NG
 +
 +  * Chose a client ID and a client secret, and write the same values in the ''​gitlab.rb''​ file above
 +  * You need to chose an asymetrical signature algorithm for the ID Token (RS256 or above)
 +  * You also need to set a key identifier on your LemonLDAP::​NG server in ''​OpenID Connect service''​ » ''​Security''​ » ''​Signing key ID''​ (use something like ''​default''​ as the value). ​
 +  * Make sure the attribute containing the user email in the LemonLDAP::​NG session is mapped to the ''​email''​ claim.
 +
 +<​note>​
 +You need to set a key identifier, or you will get a //​JSON::​JWK::​Set::​KidNotFound//​ error on Gitlab
 +</​note>​