Single Sign Ons for GitLab with Microsoft Entra ID and OpenID
The obvious benefits of SSO with Azure AD, which is now rebranded as Microsoft Entra ID are well known. So, I won’t go into the nuances there. In this blog, we will run through a simple workflow of integrating GitLab with Microsoft Entra ID to provide for SSO capabilities.
While GitLab instances can be hosted in a variety of methods., we will use a dockerized instance via docker-compose. Alternatively, one can also host it on a Kubernetes platform. Please check out my other post Data on Kubernetes with PowerFlex CSI., GitLab-as-a-service with Keycloak SSO | by Ambar Hassani | Medium which deals with GitLab and KeyCloak SSO.
Once you understand the Microsoft Entra ID workflow herein, the same can be deployed into the Kubernetes based deployment for GitLab.
For now, let’s stick to the docker-compose method.
Let’s begin!
Register a new application in Microsoft Entra ID (previously referred to as Azure AD)
Ensure that the platform is selected as “web” and the correct value of redirect url is provided for your gitlab instance.
The format would be https://gitlab.example.com/users/auth/azure_activedirectory_v2/callback
In my case, the gitlab instance runs on port 10443 and hence appended accordingly
https://gitlab1.poc.thecloudgarage.com:10443/users/auth/azure_activedirectory_v2/callback
Note the Application (Client) ID and the Tenant ID. These will be required in the GitLab configuration.
Add a client secret
Upon creation, please ensure that you copy the value of the secret as it will not be displayed again.
Provide for API permissions for Microsoft graph API
Add in the delegated permissions for email, openid and profile
Create the users in the tenant., nothing complex there., so just follow the course. I already have a few created which I will reuse in this example.
While there is a lot more scope for further fine tuning the access and scope restrictions along with other variables., for now we will work with this basic setup.
GitLab configuration
Create the directories for volume persistence on a dockerized host. Ensure that the SSL certificate files (.crt and .key) are copied in the certs sub-directory once it’s created.
mkdir -p $HOME/gitlab/{config,data,logs,certs}Create the docker-compose.yaml file under the gitlab directory. Ensure that the client id value is replaced with application id, client secret with the “value” of the application secret along with the tenant id
version: '3.6'
services:
web:
image: 'gitlab/gitlab-ce:latest'
restart: always
hostname: 'gitlab1.poc.thecloudgarage.com'
environment:
GITLAB_OMNIBUS_CONFIG: |
external_url 'https://gitlab1.poc.thecloudgarage.com:10443'
gitlab_rails['gitlab_shell_ssh_port'] = 2224
letsencrypt['enable'] = false
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['azure_activedirectory_v2']
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_providers'] = [
{
"name" => "azure_activedirectory_v2",
label: "Azure AD v2",
args: {
"client_id" => "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"client_secret" => "xxxxxxxxxxxxxxxxxxxxxxxxxx",
"tenant_id" => "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
}
}
]
ports:
- '10443:10443'
- '2224:22'
volumes:
- '$PWD/config:/etc/gitlab'
- '$PWD/logs:/var/log/gitlab'
- '$PWD/data:/var/opt/gitlab'
- '$PWD/certs/gitlab1.poc.thecloudgarage.com.crt:/etc/gitlab/ssl/gitlab1.poc.thecloudgarage.com.crt'
- '$PWD/certs/gitlab1.poc.thecloudgarage.com.key:/etc/gitlab/ssl/gitlab1.poc.thecloudgarage.com.key'
shm_size: '256m'Run docker-compose up -d and login to GitLab via the Azure AD icon.
Follow the OIDC workflow via Microsoft Entra ID. Login with the User principal name created in the tenant.
If this is first time login, then follow the obvious course to reset initial password, etc. If the configurations have been done correctly, you will be successfully authenticated and redirected to the GitLab portal.
That’s it for now!
cheers
Ambar@thecloudgarage
#iwork4dell
