Gitlab Integration with Keycloak
In this post, we will be discussing how to integrate our Gitlab Server with keycloak.
Requirements:
Keycloak server: keycloak.server.com
GITLAB server: gitlab.server.com
NOTE: For GITLAB & KEYCLOAK SETUP, follow the below mention links.
STEP 1. Create a SAML Client in Keycloak.
Our realm name is Devops. Yours can be different. So change Devops with your own realm name wherever possible.
Go to the Clients page and click the Create button in the right upper corner.
Note: Replace the gitlab.server.com with your GitLab server name.
STEP 2 — Configure your new SAML Client in Keycloak for Gitlab.
Go to clients -> gitlab.server.com -> settings tab.
Roles Tab.
Go to clients -> gitlab.server.com -> settings -> Roles
Mappers Tab
Mappers allow you to map user information to parameters in the SAML 2.0 request for GitLab. For example, a name mapper will be used to map the Username into the request for GitLab.We will create few mappers for Gitlab in Keycloak.
Go to clients -> gitlab.server.com -> settings -> Mappers
Repeat the same process and create other mappers for email, first_name, last_name, and roles as shown below.
Name: name
Mapper Type: User Property
Property: Username
Friendly Name: Username
SAML Attribute Name: name
SAML Attribute NameFormat: Basic
*************************
Name: email
Mapper Type: User Property
Property: Email
Friendly Name: Email
SAML Attribute Name: email
SAML Attribute NameFormat: Basic
***************************
Name: first_name
Mapper Type: User Property
Property: FirstName
Friendly Name: First Name
SAML Attribute Name: first_name
SAML Attribute NameFormat: Basic
****************************
Name: last_name
Mapper Type: User Property
Property: LastName
Friendly Name: Last Name
SAML Attribute Name: last_name
SAML Attribute NameFormat: Basic
****************************
Name: roles
Mapper Type: Role list
Role attribute name: roles
Friendly Name: Roles
SAML Attribute NameFormat: Basic
Single Role Attribute: On
Scope Tab.
Set full Scope Allowed to ON.
Step 3: Copy Certificate from Realm.
Go to Realm -> Keys -> RSA256 -> click on certificate -> copy it.
Step 4: Setup Gitlab.
SSH into the GitLab server and take the backup of gitlab.rb file.
cd /etc/gitlab/
Now open the gitlab.rb in vim or nano and paste the following lines at the start/end of the file & save it.
gitlab_rails[‘omniauth_enabled’] = true
gitlab_rails[‘omniauth_allow_single_sign_on’] = [‘saml’]
# gitlab_rails[‘omniauth_auto_sign_in_with_provider’] = ‘saml’
gitlab_rails[‘omniauth_block_auto_created_users’] = false
# gitlab_rails[‘omniauth_auto_link_ldap_user’] = false
gitlab_rails[‘omniauth_auto_link_saml_user’] = true
gitlab_rails[‘omniauth_providers’] = [
{
name: ‘saml’,
args: {
assertion_consumer_service_url: ‘https://gitlab.server.com/users/auth/saml/callback',
idp_cert: “ -----BEGIN CERTIFICATE-----
\n <paste your certificate here >\n -----END CERTIFICATE----- \n”,
idp_sso_target_url: ‘https://keycloak.server.com/auth/realms/devops/protocol/saml/clients/gitlab.server.com,
issuer: ‘gitlab.server.com’,
name_identifier_format: ‘urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'
},
label: ‘KEYCLOAK LOGIN’
}
]Step 5: Reconfigure the Gitlab.
Run this command in your GitLab server terminal.
gitlab-ctl reconfigure
Browse to your GitLab server and you will have something like this.
Enjoy, Gitlab with keycloak Authentication.