authentik icon indicating copy to clipboard operation
authentik copied to clipboard

Published 20 hours ago verified publisher icon goauthentik

GitLab SAML vs OIDC Docs

Open motey opened this issue 1 year ago • 8 comments

Describe your question/

According to https://goauthentik.io/integrations/services/gitlab/ one should configure GitLab with a SAML provider. This comes with some caveats for me. E.g.

  • The cert fingerprint does expire with the cert itself and i need to update it regulary (This may be a problem with my ignorance towards SAML)
  • IMHO: Its less intuitive to configure compared to OIDC

I just tried to achieve SSO via OIDC by following https://docs.gitlab.com/ee/administration/auth/oidc.html It just worked fine and there were no big hurdles.

example config:

        gitlab_rails['omniauth_allow_single_sign_on'] = ['openid_connect']
        gitlab_rails['omniauth_sync_email_from_provider'] = 'openid_connect'
        gitlab_rails['omniauth_sync_profile_from_provider'] = ['openid_connect']
        gitlab_rails['omniauth_sync_profile_attributes'] = ['email']
        gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'openid_connect'
        gitlab_rails['omniauth_block_auto_created_users'] = false
        gitlab_rails['omniauth_auto_link_saml_user'] = true
        gitlab_rails['omniauth_auto_link_user'] = ["openid_connect"]
        gitlab_rails['omniauth_providers'] = [
          {
            name: 'openid_connect',
            label: 'My Company OIDC Login',
            args: {
              name: 'openid_connect',
              scope: ['openid','profile','email'],
              response_type: 'code',
              issuer: 'https://authentik.mycompany/application/o/gitlab-slug/',
              discovery: true,
              client_auth_method: 'query',
              uid_field: 'preferred_username',
              send_scope_to_token_endpoint: 'true',
              pkce: true,
              client_options: {
                identifier: '${OIDC_CLIENT_ID}',
                secret: '${OIDC_CLIENT_SECRET}',
                redirect_uri: 'https://gitlab.mycompany/users/auth/openid_connect/callback'
              }
            }
          }
        ]

Is there any reason why the Docs prefere/suggest saml? If no, can i help in any way to provide a OIDC how-to for gitlab?

motey avatar Jan 15 '24 10:01 motey

I've been beating my head against the wall for 4 days because I'm stuck in a redirect loop using SAML. Trying the OIDC login now .

PygBear avatar Mar 23 '24 01:03 PygBear

Feel free to submit a PR to add the OIDC setup to the docuemntation

rissson avatar Mar 25 '24 13:03 rissson

Feel free to submit a PR to add the OIDC setup to the docuemntation

Ok, I would love too. but i dont know how. the specific docs are on the "compact" side of the spectrum https://docs.goauthentik.io/developer-docs/#help-with-the-docs :smile: There is no "docs" repo at https://github.com/goauthentik/ There is no "docs" dir in https://github.com/goauthentik/authentik Sorry, I am a bit lost.

motey avatar Mar 25 '24 14:03 motey

No worries! Instructions for contributing integrations docs are provided here: https://docs.goauthentik.io/developer-docs/docs/writing-documentation#integration-guidelines

rissson avatar Mar 25 '24 14:03 rissson

Thank you @motey for the example config :)

fayak avatar May 14 '24 15:05 fayak

I tried using OIDC from GitLab direct to ADFS and this didn't work, kept getting an error saying "Could not authenticate you from OpenIDConnect because "Access token invalid or expired""

I then decided to switch to SAML to try this instead but I agree with the problem listed originally "The cert fingerprint does expire with the cert itself and i need to update it regulary (This may be a problem with my ignorance towards SAML)"

It's not ideal, so I would prefer OIDC, only issue is doing a gitlab-ctl tail, doesn't show anything else other than:

./gitlab-rails/application_json.log:{"severity":"ERROR","time":"2024-05-15T09:36:37.136Z","correlation_id":"01HXXSRR5YDJ7AJG1YDBSPZAMK","message":"(openid_connect) Authentication failure! Access Token Invalid or Expired: OpenIDConnect::Unauthorized, Access Token Invalid or Expired"}

So I have no idea what to troubleshoot! Any ideas would be greatly apprecoated

shanewhite97 avatar May 15 '24 12:05 shanewhite97

@shanewhite97 This is a pretty common error i get when there is something wrong my config. usually a typo, check your slug name and issuer/redirect urls, etc. on both sides.

BTW: I do not want to be rude and this is just my opinion and i am not connected to authentik besides being a user; but please keep the issue clean. Issue littering is a thing. As can be interpreted from the past posts in this issue, OIDC does work with GitLab. People (including me ) do run it this way. This is most likely a you-problem. you did not provide further details to conclude anything else. Maybe try to find help in the discord channels https://goauthentik.io/discord . Github is the place to contribute to the project (Code, Docs, constructive feedback, bug reporting, feature requests). Managing these contributions alone is already extremely overwhelming for many open source projects. Mix in thousand of non constructive "Help"-calls in these contributions and the task is almost impossible. Thanks for you understanding.

motey avatar May 15 '24 12:05 motey

No worries, thanks for the reply, SAML is working so I'll stick with that for now. Have a good day :)

shanewhite97 avatar May 15 '24 13:05 shanewhite97