Gitlab Auth Json Website Azure Ad Authentication Setup Guide

To set up Azure AD authentication for your GitLab website, you'll need to create a new Azure AD application. This involves registering your application in the Azure portal and obtaining a client ID and client secret.

Navigate to the Azure portal and sign in with your Azure AD account. From there, select "Azure Active Directory" and click on "App registrations" to create a new application.

Choose a name for your application and select "Web" as the platform. Provide a redirect URI, which is the URL that users will be redirected to after authenticating.

In the "Supported account types" section, select "Accounts in any organizational directory (Any Azure AD directory - Multitenant)" to enable multi-tenant authentication.

Azure Active Directory is a powerful tool for authentication and authorization. You can use it as the OpenID Connect authentication provider for Alerta by following these steps.

First, log in to the Azure portal at https://portal.azure.com/. Then, navigate to the "Azure Active Directory" service page. From the "Manage" sidebar, choose "App registrations" and click the "New registration" button. Fill in the "Register an application" form for your environment and click the "Register" button.

The AZURE_TENANT setting will vary depending on what "Supported Account Type" is chosen. It will be either "common", "organizations", "consumers", or a tenant ID. To check which account type, click the "Endpoints" button on the "Overview" page and check the "OpenID Connect metadata document" URL.

For example, the OpenID Connect metadata URL for "organizations" is https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration. You can copy the App registration details for client ID, such as the Application (client) ID: 3aab3fa8-cb9b-457f-8283-811d1ebd4975.

To add the above details to the Alerta server configuration file, you'll also need the client secret. You can get this by navigating to "Certificates & secrets" and clicking the "New client secret" button. Add a description like "Alerta Web UI" and choose an expiry time. Then, copy the client secret, such as jj2cw7~nc1.55l3.UAy8C3O9Ng-.~GYWYp.

Here's a summary of the App registration details you'll need:

These details will be used to authenticate and authorize users in your Alerta server.

To use GitLab as the OAuth2 provider for Alerta, you'll need to create a new application on GitLab. Go to Profile Settings -> Applications -> New Application.

The most important setting is the Callback URL, which is the URL domain where the Alerta Web UI is being hosted. You can find this by going to http://alerta.example.com.

To restrict access to users who are members of particular GitLab groups, use the ALLOWED_GITLAB_GROUPS setting. This can be an asterisk (*) to force login but not restrict who can login.

Here's how to set up the ALLOWED_GITLAB_GROUPS setting:

Once you've set up the application, you can find the Application ID and Secret, which you'll need to configure the Alerta server. Click Submit and take note of these values.

To revoke access of your instance of Alerta to your GitLab user info at any time, go to Profile Settings -> Applications -> Authorized applications, find Alerta in the list, and click the Revoke button.

OIDC Providers are a crucial part of ensuring secure authentication for your website. They provide a standardized way of authenticating users and can be integrated with various providers such as Google, GitLab, and Keycloak.

To set up OIDC Providers, you'll need to configure the OAuth2 settings correctly, especially if your website is deployed to a publicly accessible web server. This involves setting up the AUTH_REQUIRED and SECRET_KEY settings and configuring the AUTH_PROVIDER setting to the correct provider.

For example, if you're using Keycloak, you'll need to create an OAuth client ID and client secret, which will need to be added to the alertad.conf file for the Alerta server. This ensures that only authorized users can access and modify your alerts.

The process of setting up OIDC Providers can be more involved than setting up Basic Auth, but it's essential for ensuring the security of your website. By following the correct steps, you can ensure that your website is protected from unauthorized access.

Here are some common OIDC Providers and their configuration steps:

Note that the specific configuration steps may vary depending on the OIDC Provider you're using. Be sure to consult the documentation for the specific provider you're using for more information.

To create a user-owned application on GitLab, select your avatar on the left sidebar, then choose Edit profile.

Select Applications from the left sidebar and Add new application. You'll need to enter a Name and Redirect URI for your application.

The Redirect URI is where users are sent after they authorize with GitLab, so be sure to enter the correct URL. GitLab provides OAuth 2 Scopes as defined in Authorized Applications.

Here's a step-by-step guide to creating a user-owned application:

By following these steps, you can create a user-owned application on GitLab and start using it for your authentication needs.