Open nhh opened 2 years ago
I had some trouble setting this up, maybe its helpful? https://github.com/sameersbn/docker-gitlab/issues/2282#issuecomment-1100002239
Same issue with me. Seems to be a gitlab config issue. I will try SAML auth and see if that improve things :)
Can confirm that SAML SSO works! Here is the relevant gitlab config:
- OAUTH_ENABLED=true # uncomment then gitlab sign-in is not shown #- OAUTH_AUTO_SIGN_IN_WITH_PROVIDER=saml - OAUTH_AUTO_LINK_SAML_USER=true - OAUTH_BLOCK_AUTO_CREATED_USERS=false - OAUTH_ALLOW_SSO=saml - OAUTH_AUTO_LINK_USER=true - OAUTH_EXTERNAL_PROVIDERS=saml #SAML - OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL=https://gitlab.example.com/users/auth/saml/callback - OAUTH_SAML_IDP_CERT_FINGERPRINT=<key> - OAUTH_SAML_IDP_SSO_TARGET_URL=https://keycloak.example.com/auth/realms/[realm]/protocol/saml - OAUTH_SAML_ISSUER=gitlab.example.com - OAUTH_SAML_LABEL=Login with keycloak - OAUTH_SAML_NAME_IDENTIFIER_FORMAT=urn:oasis:names:tc:SAML:2.0:nameid-format:persistent - OAUTH_SAML_GROUPS_ATTRIBUTE=roles - OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL=email - OAUTH_SAML_ATTRIBUTE_STATEMENTS_NAME=name - OAUTH_SAML_ATTRIBUTE_STATEMENTS_USERNAME=name - OAUTH_SAML_ATTRIBUTE_STATEMENTS_FIRST_NAME=first_name - OAUTH_SAML_ATTRIBUTE_STATEMENTS_LAST_NAME=last_name
@nhh Hello, has the problem been solved? I currently have the same problem as you.. No matter which account I pass the verification on keycloak, it is the same account when I arrive at gitlab
@shaxiaozz have solved it, but I dont remember how. I need to look up.
@nhh Can you help me? Best Regards
@shaxiaozz I will let you know what I did! 👍
@nhh Thank you, looking forward to your reply!
@nhh I'm sorry, but I couldn't help bothering you. Do you think back to how you solved it? thanks
This is our config:
This is our current configuration: I believe it has todo with the explicit setting of OAUTH2_GENERIC_USER_UID
and OAUTH2_GENERIC_USER_EMAIL
.
- OAUTH_ENABLED=true
- OAUTH_ALLOW_SSO=Keycloak
- OAUTH_BLOCK_AUTO_CREATED_USERS=false
- OAUTH_AUTO_LINK_LDAP_USER=false
- OAUTH_AUTO_LINK_SAML_USER=true
- OAUTH2_GENERIC_NAME=Keycloak
- OAUTH2_GENERIC_APP_ID=git
- OAUTH2_GENERIC_APP_SECRET=SECRET
- OAUTH2_GENERIC_CLIENT_SITE=https://DOMAIN
- OAUTH2_GENERIC_CLIENT_USER_INFO_URL=https://DOMAIN/realms/REALM/protocol/openid-connect/userinfo
- OAUTH2_GENERIC_CLIENT_AUTHORIZE_URL=https://DOMAIN/realms/REALM/protocol/openid-connect/auth
- OAUTH2_GENERIC_CLIENT_TOKEN_URL=https://DOMAIN/realms/REALM/protocol/openid-connect/token
- OAUTH2_GENERIC_CLIENT_END_SESSION_ENDPOINT=https://DOMAIN/realms/REALM/protocol/openid-connect/logout
- OAUTH2_GENERIC_ID_PATH=sub
- OAUTH2_GENERIC_USER_UID=email
- OAUTH2_GENERIC_USER_NAME=name
- OAUTH2_GENERIC_USER_EMAIL=email
Hope it helps!
EDIT: Also set OAUTH2_GENERIC_APP_ID=git
explicitly to "git".
@nhh Awesome, I verified this configuration, very useful. Thank you so much! ! !
Thank you very much, this problem has been bugging me for days! ! !
Best Regards! ! !
Glad I was able to help 😇
This is my configuration:
Everytime a keycloak user clicks the Keycloak button to login, he gets logged in with my user account.
For example:
John Doe => logs in via keycloak => gets Niklas Hanft as Gitlab user.
The user creation with sso should is enabled, but skipped when John Doe tries to login (he has no account yet)
Every other application I am using with keycloak does not behave this way, so I assume its an issue with the gitlab config.