GitLab Authentication

STEP 1

Create A GitLab App

In GitLab, navigate to User Settings > Applications and create a new application with the following settings:

• Application name: Loft Login via GitLab
• Redirect URI: https://loft.yourcompany.tld/auth/gitlab/callback = https:// + $LOFT_HOSTNAME + /auth/gitlab/callback
• Scopes: read_user + openid

Remember the $GITLAB_CLIENT_ID and $GITLAB_CLIENT_SECRET that GitLab generates for your OAuth application because you will need it in the next step.

STEP 2

Create Loft Config For GitLab

To tell Loft to use gitlab for SSO, navigate to Admin > Config in Loft and adjust your config as shown below:

auth:

# Tell loft to use gitlab authentication

gitlab:

#

#

# REQUIRED CONFIGURATION

#

#

# ClientID for the gitlab authentication. Can be string literal or pulled from the environment.

clientId: $CLIENTID

# ClientSecret for the gitlab authentication. Can be string literal or pulled from the environment.

clientSecret: $CLIENTSECRET

# Callback URL in the form of https://your-loft-domain/auth/gitlab/callback

redirectURI: https://loft.my.domain/auth/gitlab/callback

#

#

# OPTIONAL CONFIGURATION

#

#

# (Optional) BaseURL of the gitlab instance,

# default = https://gitlab.com

baseURL: https://my-gitlab-instance.com

# (Optional) Optional groups whitelist, communicated through the "groups" scope.

# If groups is omitted, all of the user's GitLab groups are returned.

# If groups is provided, this acts as a whitelist - only the user's GitLab

# groups that are in the configured groups below will go into the groups claim.

# Conversely, if the user is not in any of the configured groups, the user will

# not be authenticated.

groups:

- my-group

# (Optional) Cluster Account Templates that will be automatically added for new users

# logging in through this authentication

clusterAccountTemplates:

# The name of the cluster account template

- name: my-cluster-account-template

# (Optional) A mapping between groups and cluster account templates.

# If the user has a certain group, the cluster account template

# will be added during creation

groupClusterAccountTemplates:

# Name of the group from the token

- group: my-group

# Names of the cluster account templates to apply

clusterAccountTemplates:

- name: my-cluster-account-template

STEP 3

Authenticate via GitLab

After saving the new Loft configuration, Loft will restart itself and you should be able to log in via GitLab.

STEP 4

Disable Username + Password Authentication (optional)

To disable password-based authentication, navigate to Admin > Config add these two lines to your config:

auth:

oidc: ... # This is your SSO configuration (make sure this is working!)

password:

disabled: true # Disable password-based authentication