0x00
编辑gitlab.rb文件

找到 OmniAuth Settings 配置块,按需修改下面的选项:

### OmniAuth Settings
###! Docs: https://docs.gitlab.com/ee/integration/omniauth.html
 gitlab_rails['omniauth_enabled'] = true
 gitlab_rails['omniauth_allow_single_sign_on'] = ['openid_connect']
 gitlab_rails['omniauth_sync_email_from_provider'] = true
 gitlab_rails['omniauth_sync_profile_from_provider'] = true
 gitlab_rails['omniauth_sync_profile_attributes'] = ['email']
# gitlab_rails['omniauth_auto_sign_in_with_provider'] = true
 gitlab_rails['omniauth_block_auto_created_users'] = false
# gitlab_rails['omniauth_auto_link_ldap_user'] = false
# gitlab_rails['omniauth_auto_link_saml_user'] = true
# gitlab_rails['omniauth_external_providers'] = []
# gitlab_rails['omniauth_allow_bypass_two_factor'] = ['google_oauth2']

gitlab_rails['omniauth_providers']配置项,添加如下内容:

gitlab_rails['omniauth_providers'] = [
  { 'name' => 'openid_connect',
  'label' => '<label>',
     'args' => {
      'name' => 'openid_connect',
      'scope' => ['openid','profile'],
      'response_type' => 'code',
      # realm url
      'issuer' => 'https://<keycloak-url>/auth/realms/fuzzypaws',
      #Gitlab fetch all the endpoints from 
      #https://<keycloak-url>/auth/realms/<realm>/.well-known/openid-configuration
      'discovery' => true,
      'client_auth_method' => 'basic',
     #Client Configuration
      'client_options' => {
      'identifier' => '<Client-ID>',
      'secret' => '<Cliend-Secret>',
        'redirect_uri' => 'https://<gitlab-url>/users/auth/openid_connect/callback'
      }
    }
  }
]

注意修改gitlab_rails['omniauth_providers']配置块内的 'name'时,需要同步修改gitlab_rails['omniauth_allow_single_sign_on']里的内容,内容采用列表形式,如['keycloak','github','twitter']

0x02

保存,重启或者使用下面的命令重新配置gitlab:

gitlab-ctl reconfigure

即可在登陆见面看见gitlab登陆入口。