Generally, Dependency-Track can be used with any identity provider that implements the OpenID Connect standard. connect2id maintains a list of public OpenID Connect Identity Providers. Although usage with public providers is technically possible, it’s strongly recommended to only use providers that you or your organization have full control over. Misconfiguration may allow third parties to gain access to your Dependency-Track instance!
Dependency-Track has been tested with multiple OpenID Connect identity providers. The following are some example configurations that are known to work. If you find that the provider of your choice does not work with Dependency-Track, please file an issue.
alpine.oidc.enabled=true alpine.oidc.issuer=https://gitlab.com alpine.oidc.user.provisioning=true alpine.oidc.username.claim=nickname alpine.oidc.team.synchronization=true alpine.oidc.always.sync.teams=true alpine.oidc.teams.claim=groups
Please refer to the official documentation on how to use GitLab as OpenID Connect Identity Provider.
alpine.oidc.enabled=true alpine.oidc.issuer=http://localhost:8080/auth/realms/master alpine.oidc.user.provisioning=true alpine.oidc.username.claim=preferred_username alpine.oidc.team.synchronization=true alpine.oidc.always.sync.teams=true alpine.oidc.teams.claim=groups
Keycloak does not include group or role information in its UserInfo endpoint per default. If you want to use Dependency-Track’s team synchronization feature, you’ll have to create a mapper for the Dependency-Track client:
Depending on your setup you would use the mapper types
Group Membership (as shown above) or
User Realm Role.
Add to userinfo is enabled.