diff --git a/docs/docs/identity-providers/gitlab.md b/docs/docs/identity-providers/gitlab.md index 283a84610..4216da1c1 100644 --- a/docs/docs/identity-providers/gitlab.md +++ b/docs/docs/identity-providers/gitlab.md @@ -19,21 +19,19 @@ This document describes the use of GitLab as an identity provider with Pomerium. ![create an application](./img/gitlab/gitlab-create-applications.png) -3. Add a new application by setting the following parameters: +1. Add a new application by setting the following parameters: Field | Description ------------- | -------------------------------------------- +------------ | --------------------------------------------------------------------------------- Name | The name of your web app Redirect URI | `https://${authenticate_service_url}/oauth2/callback` -Scopes | **Must** select the same as **[identity scopes]** option - -If no scopes are set, you **must** select **openid**, **api**, **profile** and **email**. +Scopes | `openid` required; `read_api`, `profile`, `email` as necessary for your policies. Your `Client ID` and `Client Secret` will be displayed like below: ![Gitlab OAuth Client ID and Secret](./img/gitlab/gitlab-credentials.png) -4. Set `Client ID` and `Client Secret` in Pomerium's settings. +1. Set `Client ID` and `Client Secret` in Pomerium's settings. ## Service Account @@ -41,7 +39,6 @@ To use `allowed_groups` in a policy an `idp_service_account` needs to be set in ![Gitlab Personal Access Token](./img/gitlab/gitlab-personal-access-token.png) - The format of the `idp_service_account` for Gitlab is a base64-encoded JSON document: ```json @@ -52,20 +49,35 @@ The format of the `idp_service_account` for Gitlab is a base64-encoded JSON docu ## Pomerium Configuration -Your configuration should look like the following example: - -```bash -authenticate_service_url: https://authenticate.localhost.pomerium.io -idp_provider: "gitlab" -idp_client_id: "REDACTED" // gitlab application ID -idp_client_secret: "REDACTED" // gitlab application secret -idp_service_account: "REDACTED" // gitlab service account -``` - When a user first uses pomerium to login, they will be presented with an authorization screen similar to the following depending on the scope parameters setup: ![gitlab access authorization screen](./img/gitlab/gitlab-verify-access.png) Please be aware that [Group ID](https://docs.gitlab.com/ee/api/groups.html#details-of-a-group) will be used to affirm group(s) a user belongs to. +### GitLab.com + +Your configuration should look like the following example: + +``` +authenticate_service_url: https://authenticate.localhost.pomerium.io +idp_provider: "gitlab" +idp_client_id: "REDACTED" // gitlab application ID +idp_client_secret: "REDACTED" // gitlab application secret +idp_service_account: "REDACTED" // gitlab service account, base64 json +``` + +### Self-Hosted GitLab + +Self-hosted CE/EE instances should be configured as a generic OpenID Connect provider: + +``` +idp_provider: oidc +idp_client_id: "REACTED" +idp_client_secret: "REDACTED" +idp_scopes: openid,email // Intersects with scopes +idp_provider_url: https://gitlab.example.com // Base URL of GitLab instance +idp_service_account: "REDACTED" // gitlab service account, base64 json +``` + [identity scopes]: ../../reference/readme.md#identity-provider-scopes