OpenID authentication in Semaphore

Starting from version 2.8.92, Semaphore supports authentication via OpenID. In this article, we will explore how to setup Ansible Semaphore to authenticate users via GitLab.

Configuring authentication via OpenID starts with setting up the provider itself, in our case, GitLab.

1. Create an application in GitLab

To enable authentication through GitLab, you need to create an application in your GitLab account settings.

1. Go to the Applications section in the settings of your GitLab account: https://gitlab.com/-/profile/applications
2. Fill in the required fields:
   • Redirect URL: http://localhost:3000/api/auth/oidc/gitlab/redirect.
   • Scopes: openid, profile, email.

   

3. After you click Save application you will see following screen:
4. Copy and save the secret key somewhere (it will be needed for configuring Semaphore) and click Continue.
5. Application ready.

2. Add the OpenID settings to the Semaphore's configuration file

As you know, Semaphore settings are stored in the configuration file (usually config.json) in JSON format.

We need to add the following settings to it so that Semaphore knows how to use GitLab as an OpenID provider:

"oidc_providers": {
   "gitlab": {
       "display_name": "GitLab",
       "provider_url": "https://gitlab.com",
       "client_id": "Application ID",
       "client_secret": "Secret",
       "redirect_url": "http://localhost:4000/api/auth/oidc/gitlab/redirect"
   }
}

3. Start Semaphore with OpenID/GitLab authentication

After you have saved the changes in the configuration file, start or restart Semaphore with the new settings.

You will find a new "GitLab" button on the Semaphore login page.