Skip to content

AAI

OpenID Connect configuration

The HZDR GitLab integrates with the Helmholtz AAI using OpenID Connect. Therefore, the variable gitlab_rails['omniauth_providers'] is configured in /etc/gitlab/gitlab.rb.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
gitlab_rails['omniauth_providers'] = [
  {
    'name' => 'openid_connect',
    'label' => 'Helmholtz AAI',
    'icon' => 'helmholtz.png',
    'args' => {
      'name' => 'openid_connect',
      'scope' => ['openid','profile', 'email', 'eduperson_principal_name'],
      'response_type' => 'code',
      'issuer' => 'https://login.helmholtz.de/oauth2',
      'discovery' => true,
      'client_auth_method' => 'basic',
      'uid_field' => 'eduperson_principal_name',
      'send_scope_to_token_endpoint' => 'true',
      'client_options' => {
        'identifier' => 'CHANGEME',
        'secret' => 'CHANGEME',
        'redirect_uri' => 'https://{ GITLAB_DOMAIN }/users/auth/openid_connect/callback'
      }
    }
  },
]
At the same time, Omniauth is enabled to allow single sign-on via the configured provider. 
1
2
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['openid_connect']
Depending on your requirements you might want users who sign in via the Helmholtz AAI to become external users by default. This option is configurable in /etc/gitlab/gitlab.rb as well. 
1
gitlab_rails['omniauth_external_providers'] = ['openid_connect']
Further information is available in the GitLab documentation.