View in #general on Slack
@Cory_Rankin: has anyone setup self-hosted gitlab with SSO and pomerium? trying to decide my easiest strategy
@Alex: @Cory_Rankin it’s on my radar to make an integration guide for that in the coming weeks. I’d be happy to share my WIP with you (once I have something to share), and/or get input from your setup (if you go for it first) to use in the guide.
@Cory_Rankin: oh awesome. I’ve only messed around a little bit and done some gitlab reading.
I would rather do that than oauth with my idp
@Alex: @Cory_Rankin, wait, are you trying to:
• use self-hosted GitLab as an IdP,
• secure self-hosted GitLab with Pomerium,
• both?
Because I can tell you that doing both is a non-starter - the IdP needs to be accessible before you authenticate to Pomerium in order to work.
@Cory_Rankin: secure self-hosted Gitlab with Pomerium. I was saying my alternative was oauth to gitlab using my existing idp. I have Pomerium in front of gitlab already but dual auth
@Alex: Gotcha
@Cory_Rankin: it seemed like using gitlab jwt auth with pomerium could work unless I was misunderstanding
@Alex: I think so too, are we both looking at the same doc?
@Cory_Rankin: Yes, I should’ve linked. That’s what I was reading over and trying to decide on
@Alex: That looks pretty standard, except I’m not yet clear on what it means by “register your application” and how the app secret applies.
I’ll know more when I dig into it, hopefully by EOW
@Cory_Rankin: that is where I was uncertain
the gitlab doc references this omniauth-jwt repo but that didn’t ring any bells for me
@Alex: Hey @Cory_Rankin - I’ve been working on this and have succeeded in protecting gitlab-ee behind Pomerium. Now I’m working on this JWT auth, and man… I’m still trying to figure out what they hell it means by “register your application” or how that secret key is generated…
@Cory_Rankin: I’m with you, perhaps it is for something like this and not user auth?
https://docs.gitlab.com/ee/ci/examples/authenticating-with-hashicorp-vault/
Authenticating and reading secrets with HashiCorp Vault | GitLab
oh! I think I found our answer here:
https://github.com/mbleigh/omniauth-jwt/issues/7
@Alex: Yea… unfortunately that issue was solved by a PR in a fork of the tool, not in the source tool. Additionally it looks like the system using the tool needs to also be adjusted, as seen in this PR implementing that change for Discourse (which was also reverted 
) https://github.com/discourse/discourse-jwt/pull/3
If you don’t mind, I’m gonna convert this into a forum thread over on Discuss. Making this conversation more publicly accessible should help get the involvement of a GitLab SME who may hold the answer in their brain.
@Cory_Rankin: Ha, yes I noticed that. Sounds good thanks
