User identity

  • Tier: Free, Premium, Ultimate
  • Offering: GitLab Self-Managed

GitLab integrates with a number of third party tools and protocols to better support authentication and authorization.

Connect GitLab to your organization’s existing identity infrastructure to centralize user management and enforce security policies. You can integrate with LDAP, SAML, OAuth, or SCIM identity providers and directory services for authentication and authorization.

On GitLab Self-Managed and GitLab Dedicated, administrators can integrate with identity providers like Active Directory, Google Workspace, or Azure AD to automatically provision users, sync group memberships, and enable single sign-on. GitLab.com groups can also integrate with SAML identity providers for centralized authentication and user provisioning.

Choose from multiple integration methods based on your organization’s needs:

  • LDAP for directory synchronization
  • SAML for single sign-on
  • OAuth for third-party authentication
  • SCIM for automated user provisioning and deprovisioning

Core concepts

LDAP
Integrate directory services for centralized authentication.
OmniAuth
Configure external authentication with third-party identity providers.
SAML
Configure enterprise authentication with SAML integration for single sign-on access.
SAML Group Sync
Automate group membership with role assignment and synchronized access controls.
SCIM
Manage the user lifecycle with automated account provisioning.

GitLab.com compared to GitLab Self-Managed

The external authentication and authorization providers may support the following capabilities. For more information, see the links shown on this page for each external provider.

CapabilityGitLab.comGitLab Self-Managed
User ProvisioningSCIM
SAML 1		LDAP 1
SAML 1
OmniAuth Providers 1
SCIM
User Detail Updating (not group management)Not AvailableLDAP Sync
AuthenticationSAML at top-level group (1 provider)LDAP (multiple providers)
Generic OAuth 2.0
SAML (only 1 permitted per unique provider)
Kerberos
JWT
Smart card
OmniAuth Providers (only 1 permitted per unique provider)
Provider-to-GitLab Role SyncSAML Group SyncLDAP Group Sync
SAML Group Sync (GitLab 15.1 and later)
User RemovalSCIM (remove user from top-level group)LDAP (remove user from groups and block from the instance)
SCIM

Footnotes:

  1. Using Just-In-Time (JIT) provisioning, user accounts are created when the user first signs in.