Skip to main content
Version: 3.0 (beta)

GitLab

  1. Create A GitLab App

    In GitLab, navigate to User Settings > Applications and create a new application with the following settings:

    Remember the $GITLAB_CLIENT_ID and $GITLAB_CLIENT_SECRET that GitLab generates for your OAuth application because you will need it in the next step.

  2. Create Loft Config For GitLab

    To tell Loft to use gitlab for SSO, navigate to Admin > Config in Loft and adjust your config as shown below:

    auth:
    # Tell loft to use gitlab authentication
    gitlab:
    #
    #
    # REQUIRED CONFIGURATION
    #
    #
    # ClientID for the gitlab authentication. Can be string literal or pulled from the environment.
    clientId: $CLIENTID
    # ClientSecret for the gitlab authentication. Can be string literal or pulled from the environment.
    clientSecret: $CLIENTSECRET
    # Callback URL in the form of https://your-loft-domain/auth/gitlab/callback
    redirectURI: https://loft.my.domain/auth/gitlab/callback
    #
    #
    # OPTIONAL CONFIGURATION
    #
    #
    # (Optional) BaseURL of the gitlab instance,
    # default = https://gitlab.com
    baseURL: https://my-gitlab-instance.com
    # (Optional) Optional groups whitelist, communicated through the "groups" scope.
    # If groups is omitted, all of the user's GitLab groups are returned.
    # If groups is provided, this acts as a whitelist - only the user's GitLab
    # groups that are in the configured groups below will go into the groups claim.
    # Conversely, if the user is not in any of the configured groups, the user will
    # not be authenticated.
    groups:
    - my-group
  3. Authenticate via GitLab

    After saving the new Loft configuration, Loft will restart itself and you should be able to log in via GitLab.

  4. Disable Username + Password Authentication (optional)

    To disable password-based authentication, navigate to Admin > Config add these two lines to your config:

    auth:
    oidc: ... # This is your SSO configuration (make sure this is working!)
    password:
    disabled: true # Disable password-based authentication