Gitlab SSO Azure Ad Integration Guide

To integrate GitLab SSO with Azure AD, you'll need to create an application registration in the Azure portal. This will provide you with a client ID and client secret that you'll use to configure GitLab.

Azure AD supports several authentication flows, including authorization code flow and client credentials flow. You'll choose the flow that best suits your needs.

To begin, navigate to the Azure portal and select Azure Active Directory. From there, click on App registrations and then New application.

Suggestion: Azure Ad Connect Client

Migrating to OpenID Connect configuration is a requirement for GitLab instances using azure_oauth2 in versions 17.0 and later. This means you'll need to make some changes to your configuration.

The uid_field is a crucial setting that differs across providers. For example, omniauth-azure-oauth2 uses "sub" as the uid_field, while omniauth-azure-activedirectory-v2 uses "oid".

Here's a table to help you keep track of the uid_field settings for different providers:

To migrate from omniauth-azure-oauth2 to omniauth_openid_connect, you'll need to change the configuration. Similarly, to migrate from omniauth-azure-activedirectory-v2 to omniauth_openid_connect, you'll also need to change the configuration.

You might like: Azure Ad Connect Export Configuration

To register and configure an Azure app, you'll need to sign in to the Azure portal and switch to the desired tenant, noting the tenant ID. You can then register an application and provide the necessary information.

Save the client ID and client secret, as the client secret is only displayed once. You can create a new application secret if required.

To enable Single Sign On (SSO) for your enterprise application, you'll need a user account in Azure Active Directory, which you can create for free if you don't already have one. You'll also need a role such as Global Administrator, Cloud Application Administrator, or Application Administrator to set up SSO.

Discover more: Microsoft Entra vs Azure Ad

Migrating to OpenID Connect can seem daunting, but it's a necessary step for Azure App registration and configuration.

If you're using an instance of GitLab 17.0 or later, you'll need to migrate from the azure_oauth2 configuration to the Generic OpenID Connect configuration.

Readers also liked: Atlassian Sso Azure B2c Configuration

The uid_field is a crucial setting when migrating to OpenID Connect, and it differs across providers.

Here's a breakdown of the uid_field settings for different providers:

To migrate from omniauth-azure-oauth2 to omniauth_openid_connect, or from omniauth-azure-activedirectory-v2 to omniauth_openid_connect, you'll need to change your configuration.

To register an application, you need to sign in to the Azure portal. This will give you access to the Azure Active Directory where you can register a new application.

You may have multiple Azure Active Directory tenants, so make sure to switch to the desired tenant. Note the tenant ID, as you'll need it later.

To register an application, follow these steps:

You can create a new application secret if required. Remember that the client ID and client secret are terms associated with OAuth 2.0, and in some Microsoft documentation, they're named Application ID and Application Secret.

To set up Single Sign-On (SSO) with Azure AD, you'll need to register an Azure application and get a client ID and secret key. This is done by signing in to the Azure portal, switching to the desired tenant, and registering an application with the required information.

Additional reading: Azure Ad App

You can create a free account in Azure Active Directory if you don't already have one. To set up SSO, you'll need a user account in Azure Active Directory and a role such as Global Administrator, Cloud Application Administrator, or Application Administrator.

The Azure Active Directory Admin Center is used to enable SSO for an enterprise application that you added to your Azure AD tenant. You'll need to configure the SAML identity provider, which involves setting up the Assertion consumer service URL, Identifier, and GitLab single sign-on URL.

To configure the SAML identity provider, follow these steps:

Once you've configured the identity provider, you can enable Microsoft OAuth in GitLab. This involves configuring the common settings to add azure_activedirectory_v2 or azure_oauth2 as a single sign-on provider, and adding the provider configuration with the client ID, client secret, and tenant ID.

You can also optionally add the scope for OAuth 2.0 scopes parameter to the args section, with the default being openid profile email. After saving the configuration file, you'll need to reconfigure or restart GitLab, and then refresh the GitLab sign-in page to see the Microsoft icon below the sign-in form.

Expand your knowledge: Gitlab Auth Json Website Azure Ad Authentication

To configure your Identity Provider, start by selecting your group from the top bar and then navigating to the SAML SSO settings. You'll need to use the Assertion consumer service URL, Identifier, and GitLab single sign-on URL to configure your SAML identity provider.

You'll also need to set up the SAML response to contain a NameID that identifies each user individually, and configure the user attributes that are required, making sure to include the user's email address. This is crucial for a seamless SSO experience.

To ensure that users can join existing GitLab accounts, make sure the app is set to have service provider-initiated calls. This is a common gotcha that can be easily overlooked.

Recommended read: Azure Ad Update User Attributes Powershell

Here's a quick checklist to help you configure your Identity Provider: