How to Setup GitLab SSO with Azure AD (Single Sign-On)

How to Setup GitLab SSO with Azure AD (Single Sign-On). GitLab is a DevOps platform that enables enterprises to increase the overall return on software development by delivering software more quickly and efficiently while also improving security and compliance. With GitLab, every team in your organization can collaborate on planning, building, securing, and deploying software to accelerate business outcomes.

Users can sign in on GitLab.com using SAML identity provider. The sign in process automatically adds the user to the appropriate group if they are not already a member.

SCIM System for Cross domain Identity Management, facilitates user synchronization of SAML SSO groups. SCIM can automatically add and remove users from the GitLab group. If you delete a user from the SCIM app, SCIM also deletes the user from the GitLab group. SAML SSO is only configurable at the top level group.

GitLab SSO can be set up using Microsoft Azure Active Directory (Azure AD). Azure AD is a cloud based identity and access management solution from Microsoft that allows your staff to sign in and gain access to internal as well as external resources.

This article will mainly demonstrate how to set up GitLab SSO with Azure AD. 

Benefits of SSO

Single Sign On (SSO) is a service used for the session and user authentication, allowing a user to access numerous applications with just one set of login credentials.

 Advantages of SSO:

  • Less password fatigue through simple username and password management.
  • Improved identity protection.
  • Enhances user experience as repeated logins are no longer required.
  • Prevents Shadow IT, unauthorized downloads in the workplace.
  • SSO increases the chance that customers will adopt your IT technology through Web SSO, Mobile SSO and
    Federated SSO (through identity protocols like SAML, Connect, OAuth).
  • Mitigation of security risks: use SSO login credentials on any device, in any web browser, without risking security.
  • Less security risks for your customers, vendors, and partner entities

Setup GitLab SSO with Azure AD

In this stage of the guide how to Setup GitLab SSO with Azure AD please follow these steps on Azure AD to configure GitLab as a SSO service for team creation, account creation, and user sign in.

Configure Single Sign On to applications using Azure

To enable SSO for an enterprise application that you added to your Azure AD tenant, you use the Azure Active Directory Admin Center.

To set up SSO, you’ll need:

  • A user account in Azure Active Directory. You can create a free account if you don’t already have one.
  • Global Administrator, Cloud Application Administrator, Application Administrator or owner of the service principal are some of the jobs available.

Enable SSO

To enable SSO for an application, follow these steps:

 

  • Sign in to the Azure Active Directory Admin Center with one of the roles from the prerequisites list.
  • Select Enterprise applications from the left menu. The All applications panel appears, displaying a list of your Azure AD tenant’s applications. Look for the application you wish to utilize and choose. For instance, the Azure Active Directory SAML Toolkit 1.
  • Select Single sign on from the Manage section of the left menu to edit the Single sign on panel.
  • To access the SSO setup page, select SAML. Users can login in to the application using their Azure AD tenant credentials when it has been configured.
  • Depending on the application, configuring it to use Azure AD for SAML based SSO takes a different approach. Use the link to get information about the procedures required to configure any of the corporate applications in the gallery.
  • Record the values for the Login URL, Azure AD Identifier and Logout URL properties in the Set up Azure AD SAML Toolkit 1 section to be used later.

To start configuring SSO in Azure AD, you add sign in and respond URL values and download a certificate.

To set up SSO in Azure AD, follow these steps:

 

  • Select Edit in the Basic SAML Configuration section of the Set up single sign on panel in the Azure portal.
  • Enter https://samltoolkit.azurewebsites.net/SAML/Consume as the Reply URL (Assertion Consumer Service URL).
  • Enter https://samltoolkit.azurewebsites.net/ as the Sign on URL.
  • Select the Save option.
  • Select Download for Certificate (Raw) in the SAML Signing Certificate section to download the SAML signing certificate and save it for later use.

Next step of how to Setup GitLab SSO with Azure AD is to use the Single Sign On in the application. For this you have to register the user account with the application and to add the SAML configuration values that you previously recorded.

To create a user account with the app, follow these steps:

 

  • Open a new browser window and go to the application’s sign in URL. The address for the Azure AD SAML Toolkit app is https://samltoolkit.azurewebsites.net 
  • In the upper right corner of the page, click Register.
  • Enter the email address of the person who will be using the application in the Email field. 
  • Enter and confirm a password.
  • Choose the register option.

To configure the application’s SAML settings, follow these steps:

 

  • Select SAML Configuration in the upper-left corner of the screen after signing in with the credentials of the user account you created.
  • In the middle of the page, click Create.
  • Enter the data you recorded before for Login URL, Azure AD Identifier, and Logout URL.
  • To upload the certificate you already downloaded, select Choose file.
  • Select Create.

To be used later, copy the values of the SP Initiated Login URL and the Assertion Consumer Service (ACS) URL.

To update the single sign on values in your tenancy, use the values you recorded for SP Initiated Login URL and Assertion Consumer Service (ACS) URL.

To change the single sign on values, do the following:

 

  • Select Edit in the Basic SAML Configuration section of the Set up single sign on panel in the Azure portal.
  • Enter the Assertion Consumer Service (ACS) URL value that you previously recorded under Reply URL (Assertion Consumer Service URL).
  • Enter the SP Initiated Login URL value that you previously recorded for Sign on URL.
  • Select the Save option.

You can test the single sign on configuration from the Set up single sign on panel:

 

  • Select Test in the Set up single sign on panel of the Test single sign on with Azure AD SAML Toolkit 1 section.
  • Use the Azure AD credentials of the user account you assigned to the application to log in.

Configure your Identity Provider

  • Select Menu > Groups from the top bar and look for your group.
  • Select Settings > SAML SSO from the left sidebar.
  • Use the Assertion consumer service URL, Identifier and GitLab single sign on URL to configure your SAML identity provider. 
  • Set up the SAML response to contain a NameID that identifies each user individually.
  • Configure the user attributes that are required, making sure to include the user’s email address.
  • While most SAML providers are set to have service provider started calls by default, in order to join existing GitLab accounts, make sure the app is set to have service provider initiated calls.
  • After you’ve configured the identity provider, you may continue on to configuring GitLab.

Configure GitLab

You must configure GitLab to utilize your identity provider for authentication after you’ve set up your identity provider to interact with GitLab:

 

  • Select Menu > Groups from the top bar and look for your group.
  • Select Settings > SAML SSO from the left sidebar.
  • Find your identity provider’s SSO URL and paste it into the Identity provider single sign-on URL field.
  • In the Certificate field, locate and input the fingerprint for the SAML token signing certificate.
  • In the Default membership role section, choose the access level that will be applied to newly added users. ‘Guest’ is the default access level.
  • Enable the SAML authentication for this group checkbox.

 

To save your changes, click the Save changes button.

The SAML standard means that you can use a wide range of identity providers with GitLab, one of them being Azure.

How to Setup GitLab SSO with Azure AD (Single Sign On) Conclusion

Congratulations! You have successfully configured GitLab SSO with Azure AD. In this article we discussed in great depth GitLab SSO and it’s benefits, followed by a demo for its setup using Microsoft Azure AD.

Avatar for Emad Bin Abid
Emad Bin Abid

I'm a software engineer who has a bright vision and a strong interest in designing and engineering software solutions. I readily understand that in today's agile world the development process has to be rapid, reusable, and scalable; hence it is extremely important to develop solutions that are well-designed and embody a well-thought-of architecture as the baseline. Apart from designing and developing business solutions, I'm a content writer who loves to document technical learnings and experiences so that peers in the same industry can also benefit from them.

0 0 votes
Article Rating
Subscribe
Notify of
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x