Gitlab supports OIDC authentication using the Omniauth::oidc module.

If you are using Omnibus, you may paste the following config directly in your gitlab.rb:

# Authentication
gitlab_rails['omniauth_allow_single_sign_on'] = ['openid_connect']
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'openid_connect'
gitlab_rails['omniauth_providers'] = [
    { 'name' => 'openid_connect',
      'label' => 'Hiboo',
      'args' => {
        'name' => 'openid_connect',
        'scope' => ['openid','profile','email'],
        'issuer' => '{{ url_for("sso.oidc_authorize", service_uuid=service.uuid, _external=True) }}',
        'response_type' => 'code',
        'discovery' => false,
        'client_auth_method' => 'query',
        'client_options' => {
        'identifier' => '{{ service.config["client_id"] }}',
        'secret' => '{{ service.config["client_secret"] }}',
        'redirect_uri' => '{{ service.config["redirect_uris"][0] }}',
        'authorization_endpoint' => '{{ url_for("sso.oidc_authorize", service_uuid=service.uuid, _external=True) }}',
        'token_endpoint' => '{{ url_for("sso.oidc_token", service_uuid=service.uuid, _external=True) }}',
        'userinfo_endpoint' => '{{ url_for("sso.oidc_userinfo", service_uuid=service.uuid, _external=True) }}'
        }
      }
    }
]

You will also need to provision your users Omniauth bindings, by running the following SQL query against your Gitlab database:

insert into identities (extern_uid,provider,user_id,created_at,updated_at) (select users.username as extern_uid, 'openid_connect' as provider, users.id as user_id, now() created_at, now() updated_at from users);

{% include "application_oidc.html" %}