Keycloak
Prerequisites📜
The integration assumes that keycloak is deployed with a realm other than master (eg: baby-yoda) and a client within named gitlab. The secret is used in the gitlab keycloak configuration.
If the client gitlab doesn’t exist in keycloak, please create the client gitlab with the following settings: 1. Create a gitlab OIDC client scope. The scope name is case sensitive and must match the oidc settings that Gitlab was deployed with. Bigbang Gitlab settings are expecting scope name “Gitlab” with a capital G. Use the following mappings:
| Name | Mapper Type | Mapper Selection Sub | Token Claim Name | Claim JSON Type |
|-------------|------------------|----------------------|--------------------|-----------------|
| email | User Property | email | email | String |
| profile | User Attribute | profile | N/A | String |
| username | User Property | username | preferred_username | String |
- Create a gitlab client
- Change the following configuration items
- access type: confidential this will enable “Credentials”
- Direct Access Grants Enabled: Off
- Valid Redirect URIs: https://code.${DOMAIN}/users/auth/openid_connect/callback
- Base URL: https://code.${DOMAIN}
- Set Client Scopes
- Default Client Scopes: Gitlab (the client scope you created in the previous step. This is case sensitive.)
- optional client scopes: N/A
- Take note of the client secret in the credential tab
GitLab configuration for keycloak📜
Reference Gitlab documentation for SSO. This is a working example of the json configuration used for keycloak integration.
{
"name": "openid_connect",
"label": "Platform One SSO",
"args": {
"name": "openid_connect",
"scope": [
"Gitlab"
],
"response_type": "code",
"issuer": "https://login.dso.mil/auth/realms/baby-yoda",
"client_auth_method": "query",
"discovery": true,
"uid_field": "preferred_username",
"client_options": {
"identifier": "platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-gitlab",
"secret": "your-secret-here",
"redirect_uri": "https://code.bigbang.dev/users/auth/openid_connect/callback",
"end_session_endpoint": "https://login.dso.mil/auth/realms/baby-yoda/protocol/openid-connect/logout"
}
}
}
cat gitlab-oidc.enc.json | base64 -w 0
-w 0
insures that the encoded value is a one line string.
Create a secret in Gitlab namespace for the oidc provider info📜
Create a secret for the json provider config from the previous step
apiVersion: v1
kind: Secret
metadata:
name: oidc-provider
namespace: gitlab
data:
gitlab-oidc.json: <enter your encoded json config here>
Gitlab omniauth global configuration📜
Override the helm chart values.yaml for your environment to include the oidc-provider secret in gitlab global.appConfig.omniauth
definition. The following example is the minimum config that you need. Refer to Gitlab documentation for more settings.
global:
...
appConfig:
...
omniauth:
enabled: true
# autoSignInWithProvider:
# syncProfileFromProvider: []
syncProfileAttributes: ['email']
allowSingleSignOn: ['openid_connect']
blockAutoCreatedUsers: false
# autoLinkLdapUser: false
# autoLinkSamlUser: false
# externalProviders: []
# allowBypassTwoFactor: []
providers:
- secret: oidc-provider
key: gitlab-oidc.json
If all your configuration is correct you will be able to deploy and use SSO auth for Gitlab!