authentik/website/integrations/services/gitlab/index.md

---
title: GitLab
---

<span class="badge badge--primary">Support level: authentik</span>

## What is GitLab

From https://about.gitlab.com/what-is-gitlab/

:::note
GitLab is a complete DevOps platform, delivered as a single application. This makes GitLab unique and makes Concurrent DevOps possible, unlocking your organization from the constraints of a pieced together toolchain. Join us for a live Q&A to learn how GitLab can give you unmatched visibility and higher levels of efficiency in a single application across the DevOps lifecycle.
:::

## Preparation

The following placeholders will be used:

-   `gitlab.company` is the FQDN of the GitLab Install
-   `authentik.company` is the FQDN of the authentik Install

Create an application in authentik and note the slug, as this will be used later. Create a SAML provider with the following parameters:

-   ACS URL: `https://gitlab.company/users/auth/saml/callback`
-   Audience: `https://gitlab.company`
-   Issuer: `https://gitlab.company`
-   Binding: `Redirect`

Under _Advanced protocol settings_, set a certificate for _Signing Certificate_.

## GitLab Configuration

Paste the following block in your `gitlab.rb` file, after replacing the placeholder values from above. The file is located in `/etc/gitlab`.
To get the value for `idp_cert_fingerprint`, go to the Certificate list under _Identity & Cryptography_, and expand the selected certificate.

```ruby
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
gitlab_rails['omniauth_sync_email_from_provider'] = 'saml'
gitlab_rails['omniauth_sync_profile_from_provider'] = ['saml']
gitlab_rails['omniauth_sync_profile_attributes'] = ['email']
gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'saml'
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_auto_link_saml_user'] = true
gitlab_rails['omniauth_providers'] = [
  {
    name: 'saml',
    args: {
      assertion_consumer_service_url: 'https://gitlab.company/users/auth/saml/callback',
      # Shown when navigating to certificates in authentik
      idp_cert_fingerprint: '4E:1E:CD:67:4A:67:5A:E9:6A:D0:3C:E6:DD:7A:F2:44:2E:76:00:6A',
      idp_sso_target_url: 'https://authentik.company/application/saml/<authentik application slug>/sso/binding/redirect/',
      issuer: 'https://gitlab.company',
      name_identifier_format: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
      attribute_statements: {
        email: ['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'],
        first_name: ['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'],
        nickname: ['http://schemas.goauthentik.io/2021/02/saml/username']
      }
    },
    label: 'authentik'
  }
]
```

Afterwards, either run `gitlab-ctl reconfigure` if you're running GitLab Omnibus, or restart the container if you're using the container.
Migrate to Docusaurus (#329) * docs: initial migration to docusaurus * website: add custom font, update blurbs and icons * website: update splash * root: update links to docs * flows: use .pbflow extension so docusaurus doesn't mangle the files * e2e: workaround prospector * Squashed commit of the following: commit 1248585dcae5d65ddb8ecc75b76204fd1407c33a Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Sun Nov 15 20:46:53 2020 +0100 e2e: attempt to fix prospector error again commit 1319c480c4c6f86cf0dde91305dea52749c867a3 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Sun Nov 15 20:41:35 2020 +0100 ci: install previous python version for upgrade testing * web: update accent colours and format * website: format markdown files * website: fix colours for text * website: switch to temporary accent colour to improve readability * flows: fix path for TestTransferDocs * flows: fix formatting of tests 2020-11-15 21:42:02 +00:00			`---`
			`title: GitLab`
			`---`
docs: add GitLab integration docs 2019-12-12 17:12:14 +00:00
website/docs: support levels (#3103) * website/docs: add badges for integration level Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add badge for sources Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2022-06-15 19:31:34 +00:00			`<span class="badge badge--primary">Support level: authentik</span>`

docs: add harbor integration, cleanup 2019-12-13 14:36:09 +00:00			`## What is GitLab`

			`From https://about.gitlab.com/what-is-gitlab/`

Migrate to Docusaurus (#329) * docs: initial migration to docusaurus * website: add custom font, update blurbs and icons * website: update splash * root: update links to docs * flows: use .pbflow extension so docusaurus doesn't mangle the files * e2e: workaround prospector * Squashed commit of the following: commit 1248585dcae5d65ddb8ecc75b76204fd1407c33a Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Sun Nov 15 20:46:53 2020 +0100 e2e: attempt to fix prospector error again commit 1319c480c4c6f86cf0dde91305dea52749c867a3 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Sun Nov 15 20:41:35 2020 +0100 ci: install previous python version for upgrade testing * web: update accent colours and format * website: format markdown files * website: fix colours for text * website: switch to temporary accent colour to improve readability * flows: fix path for TestTransferDocs * flows: fix formatting of tests 2020-11-15 21:42:02 +00:00			`:::note`
			`GitLab is a complete DevOps platform, delivered as a single application. This makes GitLab unique and makes Concurrent DevOps possible, unlocking your organization from the constraints of a pieced together toolchain. Join us for a live Q&A to learn how GitLab can give you unmatched visibility and higher levels of efficiency in a single application across the DevOps lifecycle.`
			`:::`
docs: add GitLab integration docs 2019-12-12 17:12:14 +00:00
			`## Preparation`

			`The following placeholders will be used:`

website: format docs with prettier (#2833) * run prettier Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add scim to comparison Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2022-05-09 19:22:41 +00:00			- `gitlab.company` is the FQDN of the GitLab Install
			- `authentik.company` is the FQDN of the authentik Install
docs: add GitLab integration docs 2019-12-12 17:12:14 +00:00
wip: rename to authentik (#361) * root: initial rename * web: rename custom element prefix * root: rename external functions with pb_ prefix * root: fix formatting * root: replace domain with goauthentik.io * proxy: update path * root: rename remaining prefixes * flows: rename file extension * root: pbadmin -> akadmin * docs: fix image filenames * lifecycle: ignore migration files * ci: copy default config from current source before loading last tagged * : new sentry dsn tests: fix missing python3.9-dev package * root: add additional migrations for service accounts created by outposts * core: mark system-created service accounts with attribute * policies/expression: fix pb_ replacement not working * web: fix last linting errors, add lit-analyse * policies/expressions: fix lint errors * web: fix sidebar display on screens where not all items fit * proxy: attempt to fix proxy pipeline * proxy: use go env GOPATH to get gopath * lib: fix user_default naming inconsistency * docs: add upgrade docs * docs: update screenshots to use authentik * admin: fix create button on empty-state of outpost * web: fix modal submit not refreshing SiteShell and Table * web: fix height of app-card and height of generic icon * web: fix rendering of subtext * admin: fix version check error not being caught * web: fix worker count not being shown * docs: update screenshots * root: new icon * web: fix lint error * admin: fix linting error * root: migrate coverage config to pyproject 2020-12-05 21:08:42 +00:00			`Create an application in authentik and note the slug, as this will be used later. Create a SAML provider with the following parameters:`
docs: add GitLab integration docs 2019-12-12 17:12:14 +00:00
website: format docs with prettier (#2833) * run prettier Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add scim to comparison Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2022-05-09 19:22:41 +00:00			- ACS URL: `https://gitlab.company/users/auth/saml/callback`
			- Audience: `https://gitlab.company`
			- Issuer: `https://gitlab.company`
			- Binding: `Redirect`
docs: add GitLab integration docs 2019-12-12 17:12:14 +00:00
website: format docs with prettier (#2833) * run prettier Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add scim to comparison Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2022-05-09 19:22:41 +00:00			`Under _Advanced protocol settings_, set a certificate for _Signing Certificate_.`
docs: add GitLab integration docs 2019-12-12 17:12:14 +00:00
			`## GitLab Configuration`

			Paste the following block in your `gitlab.rb` file, after replacing the placeholder values from above. The file is located in `/etc/gitlab`.
website: format docs with prettier (#2833) * run prettier Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add scim to comparison Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2022-05-09 19:22:41 +00:00			To get the value for `idp_cert_fingerprint`, go to the Certificate list under _Identity & Cryptography_, and expand the selected certificate.
docs: add GitLab integration docs 2019-12-12 17:12:14 +00:00
			```ruby
			`gitlab_rails['omniauth_enabled'] = true`
			`gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']`
			`gitlab_rails['omniauth_sync_email_from_provider'] = 'saml'`
			`gitlab_rails['omniauth_sync_profile_from_provider'] = ['saml']`
			`gitlab_rails['omniauth_sync_profile_attributes'] = ['email']`
			`gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'saml'`
			`gitlab_rails['omniauth_block_auto_created_users'] = false`
			`gitlab_rails['omniauth_auto_link_saml_user'] = true`
			`gitlab_rails['omniauth_providers'] = [`
			`{`
			`name: 'saml',`
			`args: {`
			`assertion_consumer_service_url: 'https://gitlab.company/users/auth/saml/callback',`
Managed objects (#519) * managed: add base manager and Ops * core: use ManagedModel for Token and PropertyMapping * providers/saml: implement managed objects for SAML Provider * sources/ldap: migrate to managed * providers/oauth2: migrate to managed * providers/proxy: migrate to managed * : load .managed in apps managed: add reconcile task, run on startup * providers/oauth2: fix import path for managed * providers/saml: don't set FriendlyName when mapping is none * : use ObjectManager in tests to ensure objects exist ci: use vmImage ubuntu-latest * providers/saml: add new mapping for username and user id * tests: remove docker proxy * tests/e2e: use updated attribute names * docs: update SAML docs * tests/e2e: fix remaining saml cases * outposts: make tokens as managed * : make PropertyMapping SerializerModel web: add page for property-mappings * web: add codemirror to common_styles because codemirror * docs: fix member-of in nextcloud * docs: nextcloud add admin * web: fix refresh reloading data two times * web: add loading lock to table to prevent double loads * web: add ability to use null in QueryArgs (value will be skipped) * web: add hide option to property mappings * web: fix linting 2021-02-03 20:18:31 +00:00			`# Shown when navigating to certificates in authentik`
docs: add GitLab integration docs 2019-12-12 17:12:14 +00:00			`idp_cert_fingerprint: '4E:1E:CD:67:4A:67:5A:E9:6A:D0:3C:E6:DD:7A:F2:44:2E:76:00:6A',`
website/docs: fix gitab saml binding Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-07-03 17:02:47 +00:00			`idp_sso_target_url: 'https://authentik.company/application/saml/<authentik application slug>/sso/binding/redirect/',`
docs: add GitLab integration docs 2019-12-12 17:12:14 +00:00			`issuer: 'https://gitlab.company',`
			`name_identifier_format: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',`
			`attribute_statements: {`
Managed objects (#519) * managed: add base manager and Ops * core: use ManagedModel for Token and PropertyMapping * providers/saml: implement managed objects for SAML Provider * sources/ldap: migrate to managed * providers/oauth2: migrate to managed * providers/proxy: migrate to managed * : load .managed in apps managed: add reconcile task, run on startup * providers/oauth2: fix import path for managed * providers/saml: don't set FriendlyName when mapping is none * : use ObjectManager in tests to ensure objects exist ci: use vmImage ubuntu-latest * providers/saml: add new mapping for username and user id * tests: remove docker proxy * tests/e2e: use updated attribute names * docs: update SAML docs * tests/e2e: fix remaining saml cases * outposts: make tokens as managed * : make PropertyMapping SerializerModel web: add page for property-mappings * web: add codemirror to common_styles because codemirror * docs: fix member-of in nextcloud * docs: nextcloud add admin * web: fix refresh reloading data two times * web: add loading lock to table to prevent double loads * web: add ability to use null in QueryArgs (value will be skipped) * web: add hide option to property mappings * web: fix linting 2021-02-03 20:18:31 +00:00			`email: ['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'],`
			`first_name: ['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'],`
			`nickname: ['http://schemas.goauthentik.io/2021/02/saml/username']`
docs: add GitLab integration docs 2019-12-12 17:12:14 +00:00			`}`
			`},`
wip: rename to authentik (#361) * root: initial rename * web: rename custom element prefix * root: rename external functions with pb_ prefix * root: fix formatting * root: replace domain with goauthentik.io * proxy: update path * root: rename remaining prefixes * flows: rename file extension * root: pbadmin -> akadmin * docs: fix image filenames * lifecycle: ignore migration files * ci: copy default config from current source before loading last tagged * : new sentry dsn tests: fix missing python3.9-dev package * root: add additional migrations for service accounts created by outposts * core: mark system-created service accounts with attribute * policies/expression: fix pb_ replacement not working * web: fix last linting errors, add lit-analyse * policies/expressions: fix lint errors * web: fix sidebar display on screens where not all items fit * proxy: attempt to fix proxy pipeline * proxy: use go env GOPATH to get gopath * lib: fix user_default naming inconsistency * docs: add upgrade docs * docs: update screenshots to use authentik * admin: fix create button on empty-state of outpost * web: fix modal submit not refreshing SiteShell and Table * web: fix height of app-card and height of generic icon * web: fix rendering of subtext * admin: fix version check error not being caught * web: fix worker count not being shown * docs: update screenshots * root: new icon * web: fix lint error * admin: fix linting error * root: migrate coverage config to pyproject 2020-12-05 21:08:42 +00:00			`label: 'authentik'`
docs: add GitLab integration docs 2019-12-12 17:12:14 +00:00			`}`
			`]`
			```

			Afterwards, either run `gitlab-ctl reconfigure` if you're running GitLab Omnibus, or restart the container if you're using the container.