Migrating On Prem GitLab EE to Azure VM

Published on Author JFLeave a comment

Here’s what worked for me:

I replaced LDAP with OAuth 2.0

Upgrade GitLab

I upgraded to the latest from 13.6.0. It took a long time going through all the different steps because I was major versions behind. I attempted at 13.6.0 but it just wasn’t working. Here are my steps for reference:

yum install gitlab-ee-13.6.0-ee.0.el7 -y
yum install gitlab-ee-13.8.8-ee.0.el7 -y
yum install gitlab-ee-13.12.12-ee.0.el7 -y
yum install gitlab-ee-14.0.0-ee.0.el7 -y
yum install gitlab-ee-14.0.11-ee.0.el7 -y
yum install gitlab-ee-14.1.6-ee.0.el7 -y
yum install gitlab-ee-14.3.3-ee.0.el7 -y

Here are the instructions for creating the application in Azure. Reminder: the secret key is only shown ONCE. You need to copy it and the rest of the values. When done, put the secret somewhere safe, like in LastPass.

Gitlab.rb:

First, make a backup of your rb file.

Comment out whatever you were using before to authenticate.

This is copy and paste. You don’t need to uncomment anything. Use the values you got from creating the application.

These are the values you want to update and the confusing labels used in Azure. Replace the [ ] and everything between them:

I couldn’t remember if ‘issuer’ => was unique, so I obfuscated what is shown below. Make sure to capture that in the application creation.

‘identifier’ => ‘[Application (Client) ID]‘,
‘secret’ => ‘[Secret “value” ]‘,

Finally, change the host for the redirect URL to yours.

### OmniAuth Settings
###! Docs: https://docs.gitlab.com/ce/integration/omniauth.html
 gitlab_rails['omniauth_enabled'] = true
 gitlab_rails['omniauth_allow_single_sign_on'] = ['openid_connect']
 gitlab_rails['omniauth_sync_email_from_provider'] = 'openid_connect'
 gitlab_rails['omniauth_sync_profile_from_provider'] = ['openid_connect']
 gitlab_rails['omniauth_sync_profile_attributes'] = ['name','email']
 gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'openid_connect'
 gitlab_rails['omniauth_block_auto_created_users'] = true
 gitlab_rails['omniauth_auto_link_user'] = ["openid_connect"]
# gitlab_rails['omniauth_auto_link_ldap_user'] = false
# gitlab_rails['omniauth_auto_link_saml_user'] = false
# gitlab_rails['omniauth_external_providers'] = ['twitter', 'google_oauth2']
##10-15-21 Addingin OAUTH to Azure JF
# gitlab_rails['omniauth_providers'] = [
#   {
#     "name" => "azure_activedirectory_v2",
#     "app_id" => "YOUR APP ID",
#     "app_secret" => "YOUR APP SECRET",
#     "args" => { "access_type" => "offline", "approval_prompt" => "" }
#   }
# ]

gitlab_rails['omniauth_providers'] = [
  {
    'name' => 'openid_connect',
    'label' => 'Azure OIDC',
    'args' => {
      'name' => 'openid_connect',
      'scope' => ['openid', 'profile', 'email'],
      'response_type' => 'code',
      'issuer' =>  '[https://login.microsoftonline.com/f1234567-1a4e-444d-9ba0-nels020d56567/v2.0]',
      'client_auth_method' => 'query',
      'discovery' => true,
      'uid_field' => 'preferred_username',
      'client_options' => {
        'identifier' => '[Application (Client) ID]',
        'secret' => '[Secret "value" ]',
        'redirect_uri' => 'https://git.yoursite.com/users/auth/openid_connect/callback'
      }
    }
  }
]

That’s it. Good luck.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.