Gitlab supports OIDC authentication using the Omniauth::oidc module.
If you are using Omnibus, you may paste the following config directly in your gitlab.rb
:
# Authentication
gitlab_rails['omniauth_allow_single_sign_on'] = ['openid_connect']
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'openid_connect'
gitlab_rails['omniauth_providers'] = [
{ 'name' => 'openid_connect',
'label' => 'Hiboo',
'args' => {
'name' => 'openid_connect',
'scope' => ['openid','profile','email'],
'issuer' => '{{ url_for("sso.oidc_authorize", service_uuid=service.uuid, _external=True) }}',
'response_type' => 'code',
'discovery' => false,
'client_auth_method' => 'query',
'client_options' => {
'identifier' => '{{ service.config["client_id"] }}',
'secret' => '{{ service.config["client_secret"] }}',
'redirect_uri' => '{{ service.config["redirect_uris"][0] }}',
'authorization_endpoint' => '{{ url_for("sso.oidc_authorize", service_uuid=service.uuid, _external=True) }}',
'token_endpoint' => '{{ url_for("sso.oidc_token", service_uuid=service.uuid, _external=True) }}',
'userinfo_endpoint' => '{{ url_for("sso.oidc_userinfo", service_uuid=service.uuid, _external=True) }}'
}
}
}
]
You will also need to provision your users Omniauth bindings, by running the following SQL query against your Gitlab database:
insert into identities (extern_uid,provider,user_id,created_at,updated_at) (select users.username as extern_uid, 'openid_connect' as provider, users.id as user_id, now() created_at, now() updated_at from users);