26 February 2014


If you are using version before 6.6 read older post.


This post is about howto get working Gitlab and Crowd together. It’s based on versions - Crowd version 2.7.1 - Gitlab version 6.6

Installation and configuration

Atlassian Crowd

Installation and configuration of the Crowd is out of scope. Crowd is commercial product and you shoud have support for it.


For Debian or Ubuntu follow the installation guide on Github. Try to login as admin user to find out if the installation is working.


### Install the gem Follow the steps in section Using Custom Omniauth Providers, the gem you are looking for is omniauth_crowd. I’m using the last version of this gem 2.2.2.

Change configuration

I have following omniauth section in config/gitlab.yml

  enabled: yes
  allow_single_sign_on: true
  block_auto_created_users: false
    - { name: 'crowd',
        args: {
          crowd_server_url: 'https://YOUR CROWD SERVER:8095',
          application_name: 'YOUR APPLICAION ID',
          application_password: 'YOUR APPLICATION PASSWORD' } }

I control the access from the Crowd application so I changed the default values for allow_single_sign_on and block_auto_created_users.

Patch Gitlab

The Crowd Omniauth implementation is using symbols in configuration hash. The configuration file is YAML, so you need to convert the hash keys from string to symbols.

diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
index a02bf9d..a54f92f 100644
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -239,7 +239,7 @@ Devise.setup do |config|
       provider_arguments.concat provider['args']
     when Hash
       # A Hash from the configuration will be passed as is.
-      provider_arguments << provider['args']
+      provider_arguments << provider['args'].symbolize_keys
     config.omniauth provider['name'].to_sym, *provider_arguments

Some final notes

Remark for developers

I hope this would help some ruby developer to write a patch and submit it into upstream.

git over http(s)

I spent few hours debugging the https://github.com/gitlabhq/gitlabhq/issues/6677. The Omniauth, in this case crowd, is not working for HTTP(s) git commands.

Generally there is no way how to integrate omniauth providers to the Gitlab:Auth. The reason is, that omniauth provides only users identity to gitlab. The login credentials are hidden to application.

Good example is OAuth, where you are redirected to the 3rd party page like Google, Twitter, Facebook … Doing this when you are trying to clone repository using HTTP(s) protocol is impossible.

Grack is responsible for handling git command over HTTP(s). It uses Gitlab::Auth class for authentification. Right now there is implementaion only for direct users and LDAP users. Good news is, that crowd is more like LDAP, so if needs this functionality it could be done by extending Gitlab::Auth class.