Self hosted gitlab sign up with Google account

Question

I am setting up a GitLab EE instance and I'd like to enable Sign up process only with Google account. I followed the documentation here: https://docs.gitlab.com/ce/integration/google.html and here: https://docs.gitlab.com/ce/integration/omniauth.html.

Integration with Google works fine when I tried tying existing account to Google one it was flawless.

The problem is when I'm trying to Sign up using Google without an existing account, that's when an error is thrown:

Signing in using your Google account without a pre-existing GitLab account is not allowed.

My current /etc/gitlab/gitlab.rb config is following:

### OmniAuth Settings
###! Docs: https://docs.gitlab.com/ce/integration/omniauth.html
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['google_oauth2']
gitlab_rails['omniauth_sync_email_from_provider'] = 'google_oauth2'
gitlab_rails['omniauth_sync_profile_from_provider'] = ['google_oauth2']
gitlab_rails['omniauth_sync_profile_attributes'] = ['email', 'name', 'location']
gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'google_oauth2'
gitlab_rails['omniauth_block_auto_created_users'] = false
# gitlab_rails['omniauth_auto_link_ldap_user'] = false
# gitlab_rails['omniauth_auto_link_saml_user'] = false
# gitlab_rails['omniauth_external_providers'] = ['google_oauth2']
gitlab_rails['omniauth_providers'] = [
   {
     "name" => "google_oauth2",
     "app_id" => "my-app-id",
     "app_secret" => "my-app-secret",
     "args" => { "access_type" => "offline", "approval_prompt" => "" }
   }
]

What am I doing wrong? Is GitLab even able to sign up using Google?

You forgot some brackets ([ and ]) at `omniauth_sync_email_from_provider` and `omniauth_auto_sign_in_with_provider`. Those options are arrays and thus must be in brackets. Also I'm pretty sure they are no longer valid since the documentations you provided don't mention those options at all. `auto_link_ldap_user` must be enabled if you want to create accounts via oauth. — Broco, Mar 20 '18 at 11:12

score 3 · Accepted Answer · answered Dec 07 '18 at 00:19

After some tweaking with the configs, I managed to find a setup that works:

### OmniAuth Settings
###! Docs: https://docs.gitlab.com/ce/integration/omniauth.html
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['google_oauth2']
# gitlab_rails['omniauth_sync_email_from_provider'] = 'google_oauth2'
gitlab_rails['omniauth_sync_profile_from_provider'] = ['google_oauth2']
# gitlab_rails['omniauth_sync_profile_attributes'] = ['email']
# gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'google_oauth2'
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_auto_link_ldap_user'] = true
# gitlab_rails['omniauth_auto_link_saml_user'] = false
# gitlab_rails['omniauth_external_providers'] = ['google_oauth2']
gitlab_rails['omniauth_providers'] = [
   {
     "name" => "google_oauth2",
     "app_id" => "<APP_ID>",
     "app_secret" => "<APP_SECRET>",
     "args" => { "access_type" => "offline", "approval_prompt" => "" }
   }
]

Yes, I was seraching some more after and this is the config that works. I now have issues with mulltiple Google domains. You should accept your answer. — titus, Dec 07 '18 at 00:37
The above config fixed my issue as well (AzureAD instead of Google). However, for some reason, I was able to leave the line for `omniauth_auto_link_ldap_user` commented out. I'm not sure why that line would be required anyways, unless one was actually using LDAP. — Daniel Waltrip, May 20 '19 at 18:48

score 0 · Answer 2 · answered Jun 25 '22 at 00:26

0

I have a question about the config, will the existing user be an issue, does it sync nicely if the email are the same in both local gitlab and google workspace ?

Do I need the uncomment the :

gitlab_rails['omniauth_sync_email_from_provider'] = 'google_oauth2'

And I dont have this line, is that an issue :

gitlab_rails['omniauth_sync_profile_from_provider'] = ['google_oauth2']

I'm asking because I don't want to mess all the existing comments, users etc !

Best regards

answered Jun 25 '22 at 00:26

M3lmoth

11
3

If you have a new question, please ask it by clicking the [Ask Question](https://serverfault.com/questions/ask) button. Include a link to this question if it helps provide context. - [From Review](/review/late-answers/523765) – Dave M Jun 30 '22 at 11:52
@M3Imoth see here: https://docs.gitlab.com/ee/integration/omniauth.html#keep-omniauth-user-profiles-up-to-date I don't think `omniauth_sync_email_from_provider` is a real setting, but the profile sync will sync email, name, and location. If you don't want to sync all 3 of those, you can choose to sync less. – bobpaul Apr 02 '23 at 19:27

Self hosted gitlab sign up with Google account

2 Answers2