GitLab
Create A GitLab App
In GitLab, navigate to
User Settings > Applications
and create a new application with the following settings:- Application name: Loft Login via GitLab
- Redirect URI: https://loft.yourcompany.tld/auth/gitlab/callback =
https:// + $LOFT_HOSTNAME + /auth/gitlab/callback
- Scopes:
read_user
+openid
Remember the
$GITLAB_CLIENT_ID
and$GITLAB_CLIENT_SECRET
that GitLab generates for your OAuth application because you will need it in the next step.Create Loft Config For GitLab
To tell Loft to use gitlab for SSO, navigate to
Admin > Config
in Loft and adjust your config as shown below:auth:
# Tell loft to use gitlab authentication
gitlab:
#
#
# REQUIRED CONFIGURATION
#
#
# ClientID for the gitlab authentication. Can be string literal or pulled from the environment.
clientId: $CLIENTID
# ClientSecret for the gitlab authentication. Can be string literal or pulled from the environment.
clientSecret: $CLIENTSECRET
# Callback URL in the form of https://your-loft-domain/auth/gitlab/callback
redirectURI: https://loft.my.domain/auth/gitlab/callback
#
#
# OPTIONAL CONFIGURATION
#
#
# (Optional) BaseURL of the gitlab instance,
# default = https://gitlab.com
baseURL: https://my-gitlab-instance.com
# (Optional) Optional groups whitelist, communicated through the "groups" scope.
# If groups is omitted, all of the user's GitLab groups are returned.
# If groups is provided, this acts as a whitelist - only the user's GitLab
# groups that are in the configured groups below will go into the groups claim.
# Conversely, if the user is not in any of the configured groups, the user will
# not be authenticated.
groups:
- my-groupAuthenticate via GitLab
After saving the new Loft configuration, Loft will restart itself and you should be able to log in via GitLab.
Disable Username + Password Authentication (optional)
To disable password-based authentication, navigate to
Admin > Config
add these two lines to your config:auth:
oidc: ... # This is your SSO configuration (make sure this is working!)
password:
disabled: true # Disable password-based authentication