UNCLASSIFIED - NO CUI

Skip to content

GitLab SSO with non-Keycloak

Feature Request

Why

I'm trying to configure BB GitLab to use an Okta SSO instance, but I'm finding the configuration of it is somewhat hardcoded to support keycloak only. I was able to manually edit the deployed sso-secret, but I believe with a few simple changes, the SSO config could be made much more robust

Proposed Solution

Here's an example of the final secret-sso json that we needed to get okta+oidc working.

{
  "name": "openid_connect",
  "label": "My SSO",
  "args": {
    "name": "openid_connect",
    "scope": [
      "openid","profile","email"
    ],
    "response_type": "code",
    "issuer": "https://<my-okta>.okta.com",
    "client_auth_method": "query",
    "discovery": true,
    "uid_field": "preferred_username",
    "client_options": {
      "identifier": "<snip>",
      "secret": "<snip>",
      "redirect_uri": "https://<myhost>/users/auth/openid_connect/callback",
      "end_session_endpoint": "https://<myhost>/oauth2/v1/logout"
    }
  }
}

I believe changes could be made in the secret-sso.yaml to allow for direct configuration first, then default to existing config. Something like:

  gitlab-sso.json: |-
    {
      "name": "openid_connect",
      "label": "{{ .Values.addons.gitlab.sso.label }}",
      "args": {
        "name": "openid_connect",
        "scope": [
          {{- $scopes := .Values.addons.gitlab.sso.scopes | default (list "Gitlab") | uniq }}
          {{- range $index, $scopes }}
          {{ $index | quote }}{{if ne $index (last $scopes)}},{{end}}
          {{- end }}
        ],
        "response_type": "code",
        "issuer": {{ .Values.addons.gitlab.sso.issuer_uri | default "https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}" | quote }},
        "client_auth_method": "query",
        "discovery": true,
        "uid_field": {{ .Values.addons.gitlab.sso.uid_field | default "preferred_username" | quote }},
        "client_options": {
          "identifier": "{{ .Values.addons.gitlab.sso.client_id | default .Values.sso.client_id }}",
          "secret": "{{ .Values.addons.gitlab.sso.client_secret | default .Values.sso.client_secret }}",
          "redirect_uri": "https://{{ .Values.addons.gitlab.hostnames.gitlab }}.{{ $domainName }}/users/auth/openid_connect/callback",
          "end_session_endpoint": {{ .Values.addons.gitlab.sso.end_session_uri | default "https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/openid-connect/logout" | quote }}
        }
      }
    }

This way, the default configuration remains what you had before, but allows overwriting.

UNCLASSIFIED - NO CUI