If this blog helped you in any way (professionally), please donate a dollar here

Friday, March 21, 2014

Setup gitlab with OpenAM (OpenID Connect)

OpenAM, formerly OpenSSO, is an amazing piece of offering for providing Identity Management capabilities in an organisation. So this is what I wanted to do, integrate OpenAM with Gitlab.

Like in my previous post on integrating with an OpenID provider (which is different from OpenID Connect) we follow similar steps. We are going to use OpenAM as an Openid Connect provider.

OpenID Connect protocol, finalized on 26th February, 2014 is a not a very new protocol and has existed for a long time.[1] It is OpenID protocol encapsulated in OAuth2 protocol.

Gitlab configuration:



1. Add this line to Gemfile
gem 'omniauth-openid-connect', :git => 'git://github.com/jjbohn/omniauth-openid-connect.git'
1. Add these lines to gitlab/config/initializers/devise.rb
  config.omniauth :openid_connect, {
    name: :openid_connect,
    scope: [:openid, :email, :profile],
    response_type: :code,
    client_options: {
      port: 8080,
      scheme: "http",
      host: "host.example.com",
      identifier: "client_id",
      secret: "client_secret",
      redirect_uri: "http://gitlab.example.com/users/auth/openid_connect/callback",
      authorization_endpoint: "/openam/oauth2/authorize",
      token_endpoint: "/openam/oauth2/access_token",
      userinfo_endpoint: "/openam/oauth2/userinfo"
    }, 
  }

if Gitlab.config.ldap.enabled
...

2. Add these lines to app/controllers/omniauth_callbacks_controller.rb
  def openid_connect
    handle_omniauth
  end


  private
  ...
3. In the config file (config/gitlab.yml) ensure this:
  omniauth:
     enabled: true

That's it! Now for the configuration of OpenAM as a OpenID Connect Provider.

OpenAM version 11.0 is the one you should be using. This is how it should look after you have logged in as "amadmin"


Firstly, click on "Configure OAuth2" and setup accordingly. [2]

Then goto:
  1. Access Control -> (Your realm) -> Agents -> OAuth 2.0 Client -> New
  2. Add the "client_id" and "client_secret" here.
  3. In the next page, add the redirect url (http://gitlab.example.com/users/auth/openid_connect/callback)
  4. Add scopes: openid, profile and email, and any others you added to gitlab as well.
  5. Click Save
All set, take them out for a test-drive now! You should be able to login to Gitlab when you click on the Openid Connect button.

Notes:

OpenID Connect implementation in OpenAM 11.0.0 is broken over SSL. Check out these pages:

References:
[1]  OpenID Connect website 
[2]  OpenAm Documentation
[3]  Omniauth Openid connect gem

Read also:
[1]  OpenID Connect specification: http://openid.net/specs/openid-connect-core-1_0-17.html
[2] OpenID Spec: http://www.lifewiki.net/openid/OpenIDSpecification
[3] OpenAM Administration guide: http://openam.forgerock.org/openam-documentation/openam-doc-source/doc/admin-guide/



No comments:

Post a Comment