GitLab authentication and authorization

  • Tier: Free, Premium, Ultimate
  • Offering: GitLab Self-Managed

GitLab integrates with a number of OmniAuth providers, and the following external authentication and authorization providers:

UltraAuth has removed their software which supports OmniAuth integration. We have therefore removed all references to UltraAuth integration.

GitLab.com compared to GitLab Self-Managed

The external authentication and authorization providers may support the following capabilities. For more information, see the links shown on this page for each external provider.

CapabilityGitLab.comSelf-managed
User ProvisioningSCIM
SAML 1
LDAP 1
SAML 1
OmniAuth Providers 1
SCIM
User Detail Updating (not group management)Not AvailableLDAP Sync
AuthenticationSAML at top-level group (1 provider)LDAP (multiple providers)
Generic OAuth 2.0
SAML (only 1 permitted per unique provider)
Kerberos
JWT
Smart card
OmniAuth Providers (only 1 permitted per unique provider)
Provider-to-GitLab Role SyncSAML Group SyncLDAP Group Sync
SAML Group Sync (GitLab 15.1 and later)
User RemovalSCIM (remove user from top-level group)LDAP (remove user from groups and block from the instance)
SCIM

Footnotes:

  1. Using Just-In-Time (JIT) provisioning, user accounts are created when the user first signs in.

Test OIDC/OAuth in GitLab

See Test OIDC/OAuth in GitLab to learn how to test OIDC/OAuth authentication in your GitLab instance using your client application.