OpenAM, formerly OpenSSO, is an amazing piece of offering for providing Identity Management capabilities in an organisation. So this is what I wanted to do, integrate OpenAM with Gitlab.
Like in my previous post on integrating with an OpenID provider (which is different from OpenID Connect) we follow similar steps. We are going to use OpenAM as an Openid Connect provider.
OpenID Connect protocol, finalized on 26th February, 2014 is a not a very new protocol and has existed for a long time.[1] It is OpenID protocol encapsulated in OAuth2 protocol.
Gitlab configuration:
1. Add this line to Gemfile
2. Add these lines to app/controllers/omniauth_callbacks_controller.rb
That's it! Now for the configuration of OpenAM as a OpenID Connect Provider.
OpenAM version 11.0 is the one you should be using. This is how it should look after you have logged in as "amadmin"
Firstly, click on "Configure OAuth2" and setup accordingly. [2]
Then goto:
Notes:
OpenID Connect implementation in OpenAM 11.0.0 is broken over SSL. Check out these pages:
References:
[1] OpenID Connect website
[2] OpenAm Documentation
[3] Omniauth Openid connect gem
Read also:
[1] OpenID Connect specification: http://openid.net/specs/openid-connect-core-1_0-17.html
[2] OpenID Spec: http://www.lifewiki.net/openid/OpenIDSpecification
[3] OpenAM Administration guide: http://openam.forgerock.org/openam-documentation/openam-doc-source/doc/admin-guide/
Like in my previous post on integrating with an OpenID provider (which is different from OpenID Connect) we follow similar steps. We are going to use OpenAM as an Openid Connect provider.
OpenID Connect protocol, finalized on 26th February, 2014 is a not a very new protocol and has existed for a long time.[1] It is OpenID protocol encapsulated in OAuth2 protocol.
Gitlab configuration:
1. Add this line to Gemfile
gem 'omniauth-openid-connect', :git => 'git://github.com/jjbohn/omniauth-openid-connect.git'1. Add these lines to gitlab/config/initializers/devise.rb
config.omniauth :openid_connect, {
name: :openid_connect,
scope: [:openid, :email, :profile],
response_type: :code,
client_options: {
port: 8080,
scheme: "http",
host: "host.example.com",
identifier: "client_id",
secret: "client_secret",
redirect_uri: "http://gitlab.example.com/users/auth/openid_connect/callback",
authorization_endpoint: "/openam/oauth2/authorize",
token_endpoint: "/openam/oauth2/access_token",
userinfo_endpoint: "/openam/oauth2/userinfo"
},
}
if Gitlab.config.ldap.enabled
...
2. Add these lines to app/controllers/omniauth_callbacks_controller.rb
def openid_connect
handle_omniauth
end
private
...3. In the config file (config/gitlab.yml) ensure this:
omniauth:
enabled: true
That's it! Now for the configuration of OpenAM as a OpenID Connect Provider.
OpenAM version 11.0 is the one you should be using. This is how it should look after you have logged in as "amadmin"
Firstly, click on "Configure OAuth2" and setup accordingly. [2]
Then goto:
- Access Control -> (Your realm) -> Agents -> OAuth 2.0 Client -> New
- Add the "client_id" and "client_secret" here.
- In the next page, add the redirect url (http://gitlab.example.com/users/auth/openid_connect/callback)
- Add scopes: openid, profile and email, and any others you added to gitlab as well.
- Click Save
Notes:
OpenID Connect implementation in OpenAM 11.0.0 is broken over SSL. Check out these pages:
- https://bugster.forgerock.org/jira/browse/OPENAM-3433
- https://bugster.forgerock.org/jira/browse/OPENAM-3948
- https://bugster.forgerock.org/jira/browse/OPENAM-3908
References:
[1] OpenID Connect website
[2] OpenAm Documentation
[3] Omniauth Openid connect gem
Read also:
[1] OpenID Connect specification: http://openid.net/specs/openid-connect-core-1_0-17.html
[2] OpenID Spec: http://www.lifewiki.net/openid/OpenIDSpecification
[3] OpenAM Administration guide: http://openam.forgerock.org/openam-documentation/openam-doc-source/doc/admin-guide/
No comments:
Post a Comment