Skip to main content

GitLab

This guide explains how to integrate GitLab Single Sign-On (SSO) with the platform, allowing users to authenticate using their GitLab credentials.

  1. Create A GitLab App

    Navigate to the GitLab User Settings > Applications page and create a new application with the following settings:

    info

    GitLab generates a $GITLAB_CLIENT_ID and $GITLAB_CLIENT_SECRET for your OAuth application. These credentials are required for the next step.

  2. Create Platform config For GitLab

    To set up GitLab SSO in the platform:

    • Access the platform's administrative interface.
    • Navigate to the Admin > Config section.
    • Modify your configuration as shown in the example below:
    GitLab SSO configuration
    auth:
      # Tell loft to use gitlab authentication
      gitlab:
        #
        #
        # REQUIRED CONFIGURATION
        #
        #
        # ClientID for the gitlab authentication. Can be string literal or pulled from the environment.
        clientId: $GITLAB_CLIENT_ID
        # ClientSecret for the gitlab authentication. Can be string literal or pulled from the environment.
        clientSecret: $GITLAB_CLIENT_SECRET
        # Callback URL in the form of https://your-loft-domain/auth/gitlab/callback
        redirectURI: https://vcluster-platform.my.domain/auth/gitlab/callback
        #
        #
        # OPTIONAL CONFIGURATION
        #
        #
        # (Optional) BaseURL of the gitlab instance,
        # default = https://gitlab.com
        baseURL: https://my-gitlab-instance.com
        # (Optional) Optional groups whitelist, communicated through the "groups" scope.
        # If groups is omitted, all of the user's GitLab groups are returned.
        # If groups is provided, this acts as a whitelist - only the user's GitLab
        # groups that are in the configured groups below will go into the groups claim.
        # Conversely, if the user is not in any of the configured groups, the user will
        # not be authenticated.
        groups:
          - my-group

  3. Authenticate via GitLab

    After saving the new configuration, the platform should restart automatically. Users can now log in using their GitLab credentials.

  4. Disable Username + Password Authentication (optional)

    To turn off password-based authentication, navigate to Admin > Config add these two lines to your config:

    Disable password-based authentication
    auth:
      oidc: ...             # This is your SSO configuration (make sure this is working!)
      password:
        disabled: true      # Disable password-based authentication