GitLab Authentication

STEP 1

Create A GitLab App

In GitLab, navigate to User Settings > Applications and create a new application with the following settings:

Application name: Loft Login via GitLab
Redirect URI: https://loft.yourcompany.tld/auth/gitlab/callback = https:// + $LOFT_HOSTNAME + /auth/gitlab/callback
Scopes: read_user + openid

Remember the $GITLAB_CLIENT_ID and $GITLAB_CLIENT_SECRET that GitLab generates for your OAuth application because you will need it in the next step.

STEP 2

Create Loft Config For GitLab

To tell Loft to use gitlab for SSO, navigate to Admin > Config in Loft and adjust your config as shown below:

auth:
  # Tell loft to use gitlab authentication
  gitlab:
    # 
    # 
    # REQUIRED CONFIGURATION
    #
    #
    # ClientID for the gitlab authentication. Can be string literal or pulled from the environment.
    clientId: $CLIENTID
    # ClientSecret for the gitlab authentication. Can be string literal or pulled from the environment.
    clientSecret: $CLIENTSECRET
    # Callback URL in the form of https://your-loft-domain/auth/gitlab/callback
    redirectURI: https://loft.my.domain/auth/gitlab/callback
    # 
    # 
    # OPTIONAL CONFIGURATION
    #
    #
    # (Optional) BaseURL of the gitlab instance, 
    # default = https://gitlab.com
    baseURL: https://my-gitlab-instance.com
    # (Optional) Optional groups whitelist, communicated through the "groups" scope.
    # If groups is omitted, all of the user's GitLab groups are returned.
    # If groups is provided, this acts as a whitelist - only the user's GitLab 
    # groups that are in the configured groups below will go into the groups claim. 
    # Conversely, if the user is not in any of the configured groups, the user will
    # not be authenticated.
    groups:
    - my-group
    # (Optional) Cluster Account Templates that will be automatically added for new users 
    # logging in through this authentication
    clusterAccountTemplates: 
      # The name of the cluster account template
    - name: my-cluster-account-template
      sync: true
    # (Optional) A mapping between groups and cluster account templates. 
    # If the user has a certain group, the cluster account template 
    # will be added during creation
    groupClusterAccountTemplates:
      # Name of the group from the token
      - group: my-group
        # Names of the cluster account templates to apply
        clusterAccountTemplates: 
        - name: my-cluster-account-template
          sync: true

STEP 3

Authenticate via GitLab

After saving the new Loft configuration, Loft will restart itself and you should be able to log in via GitLab.

STEP 4

Disable Username + Password Authentication (optional)

To disable password-based authentication, navigate to Admin > Config add these two lines to your config:

auth:
  oidc: ...             # This is your SSO configuration (make sure this is working!)
  password:
    disabled: true      # Disable password-based authentication