Integration with GitLab

Interlock Configuration

  1. Log into Interlock.
  2. Go to SSO Applications.
  3. Create an application with the following details:
    • Name: Proxmox VE
    • Enabled: True
    • Redirect URI: https://gitlab.example.com/users/auth/openid_connect/callback
    • Response Types: code
    • Scopes: Default (openid, profile, email, groups)
  4. Once the SSO Application has been created, open it’s View dialog to copy the Client ID and Client Secret.

GitLab CE/EE Configuration

Within your /etc/gitlab/gitlab.rb config file, set the following parameters:

## INTERLOCK SSO
gitlab_rails['omniauth_allow_single_sign_on'] = ['openid_connect']
gitlab_rails['omniauth_sync_email_from_provider'] = 'openid_connect'
gitlab_rails['omniauth_sync_profile_from_provider'] = ['openid_connect']
gitlab_rails['omniauth_sync_profile_attributes'] = ['email']

### Set this if you wish to auto-sign-in
# gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'openid_connect'

gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_auto_link_ldap_user'] = true
gitlab_rails['omniauth_auto_link_saml_user'] = true
gitlab_rails['omniauth_auto_link_user'] = ["openid_connect"]
gitlab_rails['omniauth_providers'] = [
  {
    name: 'openid_connect',
    label: 'Interlock SSO',
    args: {
      name: 'openid_connect',
      scope: ['openid','profile','email'],
      response_type: 'code',
      issuer: 'https://interlock.example.com/openid',
      discovery: true,
      client_auth_method: 'query',
      uid_field: 'preferred_username',
      send_scope_to_token_endpoint: 'true',
      pkce: true,
      client_options: {
        identifier: 'your-client-id',
        secret: 'your-client-secret',
        redirect_uri: 'https://gitlab.example.com/users/auth/openid_connect/callback'
      }
    }
  }
]