How to Configure Gitlab with Keycloak.

share on:
Configure Gitlab with Keycloak.

This post shows how you can use Keycloak with SAML 2.0 as an OmniAuth Provider for GitLab CE and EE versions. To setup Gitlab with existing nginx. please visit this link.
You can visit this link to check Keycloak.

Requirements

  • Running and working Keycloak instance(s).
  • Running GitLab instance and SSH root access.

Our Keycloak server is : keycloak.example.com

Our Gitlab server is : gitlab.example.com

Step 1 – Create SAML Client in Keycloak.

Our realm name is Apps. Yours can be different. So change apps with your own realm name wherever possible.

Configure Gitlab with Keycloak.

NOTE Replace gitlab.example.com with your actual GitLab hostname, example git.yourdomain.com.

Go to the Clients page and click the Create button in the right upper corner.

Configure Gitlab with Keycloak.


Step 2 – Configure newly created SAML Client in Keycloak for Gitlab.

Go to clients -> gitlab.example.com -> settings tab.

Client setup for Gitlab.
gitlab client setup for keycloak
Keycloak client setup.

Roles Tab.

Gitlab CE users has limited functionality available with keycloak. We will create a group name external in Keycloak for Gitlab.

Configure Gitlab with Keycloak.

Configure Gitlab with Keycloak.

Mappers Tab

Mappers allows you to map user information to parameters in the SAML 2.0 request for GitLab. For example a name mapper will be used to map the Username into the request for GitLab.

We will create few mappers for Gitlab in Keycloak.

Start with Name mapper.

Configure Gitlab with Keycloak.

mappers setup keycloak.

Repeat the same process and create other mappers for email, first_name, last_name and roles as suggested below.

  • Name: name
    • Mapper Type: User Property
    • Property: Username
    • Friendly Name: Username
    • SAML Attribute Name: name
    • SAML Attribute NameFormat: Basic
  • Name: email
    • Mapper Type: User Property
    • Property: Email
    • Friendly Name: Email
    • SAML Attribute Name: email
    • SAML Attribute NameFormat: Basic
  • Name: first_name
    • Mapper Type: User Property
    • Property: FirstName
    • Friendly Name: First Name
    • SAML Attribute Name: first_name
    • SAML Attribute NameFormat: Basic
  • Name: last_name
    • Mapper Type: User Property
    • Property: LastName
    • Friendly Name: Last Name
    • SAML Attribute Name: name
    • SAML Attribute NameFormat: Basic
  • Name: roles
    • Mapper Type: Role list
    • Role attribute name: roles
    • Friendly Name: Roles
    • SAML Attribute NameFormat: Basic
    • Single Role Attribute: On

All of the mappers have “Consent Required” set to Off.

End result should be like this.

Create mappers for gitlab.


Scope Tab.

Set full Scope Allowed to ON.

Configure Gitlab with Keycloak.


Step 3: Copy Certificate from Realm.

Go to Realm -> Keys amd Download the public certificate.

Realm certificate download.

Step 4: Setup Gitlab.

SSH into the gitlab server and take backup of gitlab.rb.

cd /etc/gitlab/

cp -a gitlab.rb{,.bak-working-$(date +%F)}

Now open the gitlab.rb in vim or nano and paste the following lines at the end of file.

gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
# gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'saml'
gitlab_rails['omniauth_block_auto_created_users'] = false
# gitlab_rails['omniauth_auto_link_ldap_user'] = false
gitlab_rails['omniauth_auto_link_saml_user'] = true
gitlab_rails['omniauth_providers'] = [
    {
      name: 'saml',
      args: {
               assertion_consumer_service_url: 'https://gitlab.example.com/users/auth/saml/callback',
               idp_cert:  "-----BEGIN CERTIFICATE-----
\nMIIDDTCCAfWgAwIBAgIJAKBBHoOXzz/VMA0GCSqGSIb3DQEBBQUAMB0xGzAZBgNV
BAMMEmdpdGxhYi5leGFtcGxlLmNvbTAeFw0xOTA5MDMwODE1MzFaFw0yOTA4MzEw
ODE1MzFaMB0xGzAZBgNVBAMMEmdpdGxhYi5leGFtcGxlLmNvbTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAPTmtxAb1Umgi/TN3SIdJe7yvCvHCTwafGIt
jHCB6jDsRWrLy5zB3YKuRF2PAVwODXiFK0RCaefrf2OaNLW0sieOitlJzo1Rxd6t
Ovxg3wtzVOBJV7ewi1JFAcYTQYDuirajG5NpFWmo4uBW8gT7yVnnqsj1m/HfA5w5
Ho5kQP3afdSnXx3K8RMBm3hoXJjf17YGdzeYjdzaUvR87zE6HuWOqaSPkb+UGieN
Pee8skXVAePuy62cAP8P3Oqdsly3GTeFNtBxJzbqiORBPFuOkouEf6UrV1SaSZF/
hQfntBkDVhUzccGRqiZ5Gjb0xeeGFrUsop6btciQ37ATB2LDlasCAwEAAaNQME4w
HQYDVR0OBBYEFBxD0mMTIaQTiY6yRbNEoLH1n+G2MB8GA1UdIwQYMBaAFBxD0mMT
IaQTiY6yRbNEoLH1n+G2MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEB
AIZFewa0sEEUdshXf4XYs3DWy+jb1H45B9T/OPV9hDu4lNwNoO9NOhkab17nGCEe
z/V3riuAGuS34XQ+ZnXuuOJrHglfbVSQlkcZGrsegL/yhj4npwluGVMo+GUiIgg2
Ov5dW9ptnrYms7Jdby75I1aVYVRuNCUttA4BT2dRfXhHdFNaEBEFpXEYA8qsBSja
/xQ06zz4FOrskM5yV1Miyylne03umOwZOQReWED8JE1IUmA2oX1yYP/avGPziNVR
sSrLJUUclwRBmJ4qDSFkH4EJzjgwvOsSHZ9cBhZOqPiTQaKA/KIe4Hx19N3bJdSE
CSH6IwAilsTlJQZd75Mw/kM==\n-----END CERTIFICATE-----\n",
               idp_sso_target_url: 'https://keycloak.example.com/auth/realms/apps/protocol/saml/clients/gitlab.example.com',
               issuer: 'gitlab.example.com',
               name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'
             },
      label: 'Keycloak Login'
    }
]


Step 5: Reconfigure the Gitlab.

gitlab-ctl reconfigure

After that you can go to your Gitlab server and just below the sing in tab you will have another option of

Sign in with

That’s all. We have properly configure gitlab with Keycloak. Thanks

share on:
engy

engy

Hello there, My name is Rishi Guleria and I work as a Linux system administrator. I have created this blog to share what I have learned so far and to learn new things. Don't forget to leave the feedback. Have a great day. :)

Leave a Response

share on: