Setting up GitHub single sign-on via OmniAuth on GitLab (Omnibus package)


#1

I found the official installation instructions (initial, GitHub-specific) slightly over-complicated, outdated, and missing a few details, so here is a condensed cheat sheet:

On GitHub:

  1. Go to https://github.com/settings/applications/new
  2. For Application Name and Application Description, enter a name and description of your choosing
  3. For Homepage URL and Authorization Callback URL, enter the URL of your GitLab instance (e.g., for us, it’s https://source.ind.ie – for you, it might be, e.g., https://gitlab.yourdomain.org)
  4. Press the Register Application button.

That’s it. Keep the resulting page open as you will need the Client ID and Client Secret from it when configuring Gitlab, next.

On your GitLab instance (commandline):

  1. sudo nano /etc/gitlab/gitlab.rb to edit the configuration file.

  2. Enter the following:

# Onmniauth configuration
gitlab_rails['omniauth_enabled'] = true

# Github integration (omniauth)
gitlab_rails['omniauth_providers'] = [
  {
    "name" => "github",
    "app_id" => "<Client ID from GitHub>",
    "app_secret" => "<Client Secret from GitHub>",
    "url" => "https://github.com/",
    "args" => { "scope" => "user:email" }
  }
]

# CAUTION!
# This allows users to login without having a user account first. Define the allowed providers
# using an array, e.g. ["saml", "twitter"], or as true/false to allow all providers or none.
# User accounts will be created automatically when authentication was successful.
gitlab_rails['omniauth_allow_single_sign_on'] = ['github']
gitlab_rails['omniauth_block_auto_created_users'] = false

You can set omniauth_block_auto_created_users to true if you want to manually approve new account creations.

  1. Reconfigure GitLab: sudo gitlab-ctl reconfigure
  2. Restart GitLab: sudo gitlab-ctl restart

To check that it’s all working, look for a ‘Sign in with ’ button when signed out or look in your /admin page to make sure the green light is on next to OmniAuth.

That’s it.