Generally, Dependency-Track can be used with any identity provider that implements the OpenID Connect standard. connect2id maintains a list of public OpenID Connect Identity Providers. Although usage with public providers is technically possible, it’s strongly recommended to only use providers that you or your organization have full control over. Misconfiguration may allow third parties to gain access to your Dependency-Track instance!

Dependency-Track has been tested with multiple OpenID Connect identity providers. The following are some example configurations that are known to work. If you find that the provider of your choice does not work with Dependency-Track, please file an issue.

GitLab (gitlab.com)

alpine.oidc.enabled=true
alpine.oidc.issuer=https://gitlab.com
alpine.oidc.user.provisioning=true
alpine.oidc.username.claim=nickname
alpine.oidc.team.synchronization=true
alpine.oidc.always.sync.teams=true
alpine.oidc.teams.claim=groups

Please refer to the official documentation on how to use GitLab as OpenID Connect Identity Provider.

Keycloak

alpine.oidc.enabled=true
alpine.oidc.issuer=http://localhost:8080/auth/realms/master
alpine.oidc.user.provisioning=true
alpine.oidc.username.claim=preferred_username
alpine.oidc.team.synchronization=true
alpine.oidc.always.sync.teams=true
alpine.oidc.teams.claim=groups

Keycloak does not include group or role information in its UserInfo endpoint per default. If you want to use Dependency-Track’s team synchronization feature, you’ll have to create a mapper for the Dependency-Track client:

Depending on your setup you would use the mapper types Group Membership (as shown above) or User Realm Role. Make sure Add to userinfo is enabled.