GitLab integrates with the following external authentication and authorization providers:
- AWS Cognito
- Bitbucket Cloud
- Google OAuth
- LDAP: Includes Active Directory, Apple Open Directory, Open LDAP, and 389 Server.
- SAML for GitLab.com groups
The external authentication and authorization providers may support the following capabilities. For more information, see the links shown on this page for each external provider.
Just-In-Time (JIT) Provisioning
|User Detail Updating (not group management)||Not Available||LDAP Sync|
|Authentication||SAML at top-level group (1 provider)||LDAP (multiple providers)|
SAML (only 1 permitted per unique provider)
OmniAuth Providers (only 1 permitted per unique provider)
|Provider-to-GitLab Role Sync||SAML Group Sync||LDAP Group Sync|
|User Removal||SCIM (remove user from top-level group)||LDAP (Blocking User from Instance)|
When GitLab doesn’t support having multiple providers (such as OAuth), GitLab configuration and user identification must be updated at the same time if the provider or app is changed.
These instructions apply to all methods of authentication where GitLab stores an
extern_uid and it is the only data used
for user authentication.
When changing apps within a provider, if the user
extern_uid does not change, only the GitLab configuration must be
To swap configurations:
- Change provider configuration in your
extern_uidfor all users that have an identity in GitLab for the previous provider.
To find the
extern_uid, look at an existing user’s current
extern_uid for an ID that matches the appropriate field in
your current provider for the same user.
There are two methods to update the