I’ve integrated my gitlab instance with Azure AD for SSO reasons and it seems to be working fine.
However, it was my understanding that Azure would then be the only source of truth… so if a user has to register on gitlab first and then link his gitlab to azure, wouldn’t that kill the entire point of implementing it?
Can you suggest the best practices surrounding this implementation? Here's what my omniauth configuration looks like in /etc/gitlab/gitlab.rb.
### OmniAuth Settings
###! Docs: https://docs.gitlab.com/ce/integration/omniauth.html
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['azure_oauth2']
# gitlab_rails['omniauth_sync_email_from_provider'] = 'saml'
# gitlab_rails['omniauth_sync_profile_from_provider'] = ['saml']
# gitlab_rails['omniauth_sync_profile_attributes'] = ['email']
# gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'saml'
# gitlab_rails['omniauth_block_auto_created_users'] = true
gitlab_rails['omniauth_auto_link_ldap_user'] = true
# gitlab_rails['omniauth_auto_link_saml_user'] = false
# gitlab_rails['omniauth_external_providers'] = ['twitter', 'google_oauth2']
gitlab_rails['sync_profile_from_provider'] = ['azure_oauth2']
gitlab_rails['sync_profile_attributes'] = ['name', 'email', 'location']
gitlab_rails['omniauth_providers'] = [
{
"name" => "azure_oauth2",
"args" => {
"client_id" => "my id",
"client_secret" => "my secret",
# "args" => { "access_type" => "offline", "approval_prompt" => "" }
"tenant_id" => "my tenant id",
},
# "base_azure_url" => "https://login.microsoftonline.com"
}
]
Thanks!
