Configure SCIM for self-managed GitLab instances
- Tier: Premium, Ultimate
- Offering: Self-managed
You can use the open standard System for Cross-domain Identity Management (SCIM) to automatically:
- Create users.
- Block users.
- Re-add users (reactivate SCIM identity).
The internal GitLab SCIM API implements part of the RFC7644 protocol.
If you are a GitLab.com user, see configuring SCIM for GitLab.com groups.
Configure GitLab
Prerequisites:
- Configure SAML single sign-on.
To configure GitLab SCIM:
- On the left sidebar, at the bottom, select Admin.
- Select Settings > General.
- Expand the SCIM Token section and select Generate a SCIM token.
- For configuration of your identity provider, save the:
- Token from the Your SCIM token field.
- URL from the SCIM API endpoint URL field.
Configure an identity provider
You can configure the following as an identity provider:
- Okta.
Other identity providers can work with GitLab but they have not been tested and are not supported. You should contact the provider for support. GitLab support can assist by reviewing related log entries.
Configure Okta
The SAML application created during single sign-on set up for Okta must be set up for SCIM.
Prerequisites:
- You must use the Okta Lifecycle Management product. This product tier is required to use SCIM on Okta.
- GitLab is configured for SCIM.
- The SAML application for Okta set up as described in the Okta setup notes.
- Your Okta SAML setup matches the configuration steps, especially the NameID configuration.
To configure Okta for SCIM:
- Sign in to Okta.
- In the upper-right corner, select Admin. The button is not visible from the Admin area.
- In the Application tab, select Browse App Catalog.
- Find and select the GitLab application.
- On the GitLab application overview page, select Add Integration.
- Under Application Visibility, select both checkboxes. The GitLab application does not support SAML authentication so the icon should not be shown to users.
- Select Done to finish adding the application.
- In the Provisioning tab, select Configure API integration.
- Select Enable API integration.
- For Base URL, paste the URL you copied from SCIM API endpoint URL on the GitLab SCIM configuration page.
- For API Token, paste the SCIM token you copied from Your SCIM token on the GitLab SCIM configuration page.
- To verify the configuration, select Test API Credentials.
- Select Save.
- After saving the API integration details, new settings tabs appear on the left. Select To App.
- Select Edit.
- Select the Enable checkbox for both Create Users and Deactivate Users.
- Select Save.
- Assign users in the Assignments tab. Assigned users are created and managed in your GitLab group.
Remove access
Removing or deactivating a user on the identity provider blocks the user on the GitLab instance, while the SCIM identity remains linked to the GitLab user.
To update the user SCIM identity, use the internal GitLab SCIM API.
Reactivate access
After a user is removed or deactivated through SCIM, you can reactivate that user by adding them to the SCIM identity provider.
After the identity provider performs a sync based on its configured schedule, the user’s SCIM identity is reactivated and their GitLab instance access is restored.
Troubleshooting
See our troubleshooting SCIM guide.
Docs
Edit this page to fix an error or add an improvement in a merge request.
Create an issue to suggest an improvement to this page.
Product
Create an issue if there's something you don't like about this feature.
Propose functionality by submitting a feature request.
Feature availability and product trials
View pricing to see all GitLab tiers and features, or to upgrade.
Try GitLab for free with access to all features for 30 days.
Get help
If you didn't find what you were looking for, search the docs.
If you want help with something specific and could use community support, post on the GitLab forum.
For problems setting up or using this feature (depending on your GitLab subscription).
Request support