How to set up SSO authentication with GitLab as Identity Provider?

How to set up SSO (Single Sign-On) user authentication using GitLab as a custom Identity Provider.

In this article, we’ll describe the whole process by adding GitLab as Identity Provider that allows users to log in with a GitLab account. 

Note: SSO user authentication is tied to realms concept, so we recommend this article as a starting point as long as you need to have at least one realm set up.


Configure GitLab application

To use Gitlab as an OAuth provider you need to set up an application that would allow it to connect to flespi. Click on the user icon and follow to Preferences > Applications, then click on ‘Add new application’. 

Now you need to specify a preferable name (e.g. ‘Gitlab Auth for flespi’), redirect URI 'https://flespi.io/auth/callback', and also mark ‘Confidential’ and ‘read_user’ checkboxes.

After filling out this information, GitLab will prompt you to copy the Application ID and Secret values (we will need them for configuring Identity Provider on the flespi side). Don’t forget to click on ‘Continue’ to save the application.

Set up Identity Provider on flespi

Proceed to the Access management section in the main menu. Click on the Identity providers to create a new one. Select Custom OAuth 2.0 Identity Provider from the dropdown menu, choose a name (e.g. Gitlab), and paste in the corresponding values from the previous step for the ‘Client ID’ and ‘Client secret’ fields. The next URLs are taken from GitLab (you can find them listed here):

- Auth URL: https://gitlab.com/oauth/authorize

- Token URL: https://gitlab.com/oauth/token

- Info URL: https://gitlab.com/api/v4/user

Add the ‘read_user’ scope as configured previously in the GitLab application. Also, make sure to provide at least a name in the 'Public information' section if you don’t want to use a logo or make up a description right now. Click ‘Save’.

To assign any Identity Provider you need a realm with standard access to the root account. To link your realm with an Identity Provider navigate to Access management > Realms > 'Your realm' > Providers tab, then click the ‘+’ button, and select GitLab from the list.

If you want to allow user registration or login with the Identity Provider, make sure its 'power' button lights green. Then, you can enable/disable automatic registration by clicking on the ‘shield’ sign (green means registration is allowed, and red means it is prohibited).

To provide users with a login/registration link, click on the Login in the top-right or use https://flespi.io/#/realm/{public_realm_id}. Now, if the user follows the link, the realm authentication page will show up - users can authenticate using the configured Identity Provider and save the realm for future use.

Clicking GitLab will lead the user to the GitLab authorization page requesting permission to access the account.

Upon the authorization, the user will be redirected to your realm login page and offered to save the realm for future use.

Done!


See also
How to set up SSO (Single Sign-On) user authentication using Google as a custom Identity Provider.