GitLab Authentication

STEP 1

Create A GitLab App

In GitLab, navigate to User Settings > Applications and create a new application with the following settings:

Remember the $GITLAB_CLIENT_ID and $GITLAB_CLIENT_SECRET that GitLab generates for your OAuth application because you will need it in the next step.

STEP 2

Create Loft Config For GitLab

To tell Loft to use gitlab for SSO, navigate to Admin > Config in Loft and adjust your config as shown below:

auth:
# Tell loft to use gitlab authentication
gitlab:
#
#
# REQUIRED CONFIGURATION
#
#
# ClientID for the gitlab authentication. Can be string literal or pulled from the environment.
clientId: $CLIENTID
# ClientSecret for the gitlab authentication. Can be string literal or pulled from the environment.
clientSecret: $CLIENTSECRET
# Callback URL in the form of https://your-loft-domain/auth/gitlab/callback
redirectURI: https://loft.my.domain/auth/gitlab/callback
#
#
# OPTIONAL CONFIGURATION
#
#
# (Optional) BaseURL of the gitlab instance,
# default = https://gitlab.com
baseURL: https://my-gitlab-instance.com
# (Optional) Optional groups whitelist, communicated through the "groups" scope.
# If groups is omitted, all of the user's GitLab groups are returned.
# If groups is provided, this acts as a whitelist - only the user's GitLab
# groups that are in the configured groups below will go into the groups claim.
# Conversely, if the user is not in any of the configured groups, the user will
# not be authenticated.
groups:
- my-group
# (Optional) Cluster Account Templates that will be automatically added for new users
# logging in through this authentication
clusterAccountTemplates:
# The name of the cluster account template
- name: my-cluster-account-template
# (Optional) A mapping between groups and cluster account templates.
# If the user has a certain group, the cluster account template
# will be added during creation
groupClusterAccountTemplates:
# Name of the group from the token
- group: my-group
# Names of the cluster account templates to apply
clusterAccountTemplates:
- name: my-cluster-account-template
STEP 3

Authenticate via GitLab

After saving the new Loft configuration, Loft will restart itself and you should be able to log in via GitLab.

STEP 4

Disable Username + Password Authentication (optional)

To disable password-based authentication, navigate to Admin > Config add these two lines to your config:

auth:
oidc: ... # This is your SSO configuration (make sure this is working!)
password:
disabled: true # Disable password-based authentication