Skip to content

Configuring GitLab with Keycloak[SAML] Identity Provider

Summary

I have used below docker image of Gitlab community edition. Referring to the below document : https://docs.gitlab.com/omnibus/docker/

I tried providing it an identity provider[Keycloak with saml]. Following document has been referred : https://docs.gitlab.com/ce/integration/saml.html

After reconfiguring, i have created the a user on the keycloak but it says : "User has been blocked. Kindly contact gitlab administrator."

Below is my setting in the gitlab.rb file :

gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
gitlab_rails['omniauth_sync_email_from_provider'] = 'saml'
gitlab_rails['omniauth_sync_profile_from_provider'] = ['saml']
gitlab_rails['omniauth_sync_profile_attributes'] = ['email']
gitlab_rails['omniauth_auto_sign_in_with_provider'] = ''
gitlab_rails['omniauth_auto_link_ldap_user'] = false
gitlab_rails['omniauth_auto_link_saml_user'] = true
gitlab_rails['omniauth_providers'] = [
   {
     "name" => "saml",
	 "label" => "GitLab SAML Keycloak",
	 "groups_attribute" => "roles",
     "external_groups" => ["13.233.13.67:external"],
     "args" => { 
	   "assertion_consumer_service_url" => 'https://xx.xx.xx.xx/users/auth/saml/callback',
       "idp_cert"=> "-----BEGIN CERTIFICATE-----\n<CERT>\n-----END CERTIFICATE-----\n",
       "idp_sso_target_url"=> 'https://xx.xx.xx.xx:8443/auth/realms/<realm>/protocol/saml/clients/<ClientID',
       "issuer"=> '<ClientId>',
       "name_identifier_format"=> 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
       "attribute_statements"=> { "first_name" => ['first_name'],"last_name" => ['last_name'],"name" => ['name'],"username"=> ['name'],"email" => ['email'] }
	   }
   }
 ]

A link said : set flag gitlab_rails['omniauth_block_auto_created_users'] to false. Since it says same.

Steps to reproduce

Follow the steps defined in the document : https://docs.gitlab.com/omnibus/docker/ This will configure the gitlab.

Then follow below document with the given gitlab.rb setting : https://docs.gitlab.com/ce/integration/saml.html

Example Project

version : GitLab : 10.8.7-ce.0

What is the current bug behavior?

It says user is blocked.Contact Gitlab adminstrator.

What is the expected correct behavior?

The user should be able to sign in using the Keycloak SAML. Capture

Edited by Hannah Sutor