Contact UsGet started
© 2024 Iron Hive LLC Belgrade

Setting up OmniAuth

Written by
Updated at September 25, 2024

With OmniAuth, users can get authorized in GitLab using credentials from other services.

To integrate an authentication provider for GitLab via OmniAuth, add your authentication provider and specify its parameters.

Adding an authentication provider

  1. In the management console, go to the folder page and select Managed Service for GitLab.
  2. Click the instance name and select the OmniAuth tab.
  3. Click Configure.
  4. To add an authentication provider, click Add.
  5. Select a type and specify the authentication provider parameters.
  6. Click Create.

For more information about working with OmniAuth in GitLab, see the GitLab documentation.

Authentication provider parameters

Some parameters are common to all providers:

  • Allow single sign on: Allow using SSO. If set to true, when a user who has not singed up with GitLab authenticates through OmniAuth, an account in GitLab will be automatically created for them.
  • Auto link users by email: Map the username in OmniAuth to that in GitLab if they have the same email address linked.
  • Block auto-created users: Automatically switch the created accounts to Pending approval until they get approved by an administrator.
  • External provider: Set the external attribute for the provider. Users authorized through this provider will be treated as external and will have no access to internal projects.
  • Auto link LDAP user: Create an LDAP entity for automatically created accounts. This parameter only applies to instances with an LDAP provider connected.

Other parameters depend on the selected provider type.

Bitbucket Cloud

  • Label: Name of the authentication provider. You can set any name.
  • Application ID: App ID received when setting up the provider.
  • Application secret: Secret key received when setting up the provider.

You can learn how to obtain an app ID and secret key in this guide on setting up a provider.

Github Enterprise

  • Label: Name of the authentication provider. You can set any name.
  • Application ID: App ID received when setting up the provider.
  • Application secret: Secret key received when setting up the provider.
  • URL: Link to the GitHub repository.

You can learn how to obtain an app ID and secret key in this guide on setting up a provider.

GitLab self-managed

  • Label: Name of the authentication provider. You can set any name.
  • Application ID: App ID received when setting up the provider.
  • Application secret: Secret key received when setting up the provider.
  • Site: Link to the GitLab repository.

You can learn how to obtain an app ID and secret key in this guide on setting up a provider.

Google OAuth 2.0

  • Label: Name of the authentication provider. You can set any name.
  • Application ID: App ID received when setting up the provider.
  • Application secret: Secret key received when setting up the provider.

You can learn how to obtain an app ID and secret key in this guide on setting up a provider.

Keycloak

Note

To work with GitLab, the Keycloak server should use HTTPS.

  • Label: Name of the authentication provider. Specify any name.
  • Issuer: Authorization source URL, such as https://keycloak.example.com/realms/myrealm.
  • Client ID: Client ID received when setting up Keycloak.
  • Client secret: Client secret key received when setting up Keycloak.
  • Site: Link to the GitLab repository.

LDAP

Warning

Before setting up LDAP integration, make sure the users on the LDAP server cannot:

  • Change the mail, email, and userPrincipalName attributes. Users with privileges like this can potentially access any account on the GitLab server.
  • Have a shared email address. LDAP users with a shared email address can use the same account in GitLab.
  • Name: Username displayed in LDAP. It may not include spaces or punctuation marks.
  • Label: LDAP server name. Specify any name.
  • Host: LDAP server IP or domain name.
  • DB_PORT: LDAP server connection port.
  • Username ID: User ID in LDAP.
  • Encryption: Traffic encryption method.
  • Base: Name of the LDAP folder that stores user accounts.
  • Bind DN: (Optional) Unique username (DN) in LDAP.
  • User Filter: (Optional) User filter in LDAP in RFC-4515 format.

Refer to the GitLab documentation to learn how to configure the LDAP server to work with GitLab.

Microsoft Entra ID

  • Label: Name of the authentication provider. Specify any name.
  • Client ID: Client ID received when registering an application.
  • Client Secret: Client secret key received when registering an application.
  • Tenant ID: Tenant ID received when registering an application.

Refer to the GitLab documentation to learn how to register an application on the Azure side.

Microsoft Azure OAuth 2

  • Label: Name of the authentication provider. Specify any name.
  • Client ID: Client ID received when registering an application.
  • Client Secret: Client secret key received when registering an application.
  • Tenant ID: Tenant ID received when registering an application.

Refer to the GitLab documentation to learn how to register an application on the Azure side.

SAML

  • Label: Name of the authentication provider. Specify any name.
  • Assertion consumer service URL: HTTPS endpoint of the GitLab instance. To create this URL, add /users/auth/saml/callback to your GitLab instance URL, such as https://example.gitlab.yandexcloud.net/users/auth/saml/callback.
  • IDP certificate fingerprint: SHA1 fingerprint of a public certificate key, e.g., 90:CC:16:F0:8D:.... Issued when configuring the IdP.
  • IDP SSO target URL: URL of the IdP. Issued when configuring the IdP.
  • Issuer: Unique ID of the application where user authentication will be performed, such as https://example.gitlab.yandexcloud.net.
  • Name identifier format: Format of the name identifier. Issued when configuring the IdP.

Refer to the GitLab documentation to learn how to configure SAML on the IdP side.

Yandex ID

  • Label: Name of the authentication provider. Specify any name.
  • Client ID: Client ID received when registering an application.
  • Client Secret: Client secret key received when registering an application.
  • Site: Link to the GitLab repository.

Refer to the Yandex.OAuth documentation to learn how to register an application on the IdP side. When registering an app, permit access to the user's email address. If selecting web services as the platform, use the Redirect URI field to specify a URL in the following format:

https://<GitLab_instance_address>/users/auth/Yandex/callback

URL example:

https://my-domain.gitlab.yandexcloud.net/users/auth/Yandex/callback

Warning

When integrating with the Yandex ID service, any user with a Yandex account can log in to your instance. To prevent access by unauthorized users, set the Allow single sign on and Block auto-created users parameters to true. This will allow you to automatically create new users in GitLab but also block them at first log in.

Yandex 360

Yandex 360 uses Yandex ID or LDAP as authentication providers. To allow Yandex 360 users to log into your GitLab instance, add and configure one of these providers in OmniAuth.

Warning

If you use Yandex ID, the authentication process does not include checking users for membership in a Yandex 360 organization. Any user with a Yandex account can log into your GitLab instance. To prevent access by unauthorized users, set the Allow single sign on and Block auto-created users parameters to true. This will allow you to automatically create new users in GitLab but also block them at first log in.

Previous
Setting up approval rules
Next
All tutorials