Configure SCIM for self-managed GitLab instances

Tier: Premium, Ultimate Offering: Self-managed
History

You can use the open standard System for Cross-domain Identity Management (SCIM) to automatically:

  • Create users.
  • Block users.
  • Re-add users (reactivate SCIM identity).

The internal GitLab SCIM API implements part of the RFC7644 protocol.

If you are a GitLab.com user, see configuring SCIM for GitLab.com groups.

Configure GitLab

Prerequisites:

To configure GitLab SCIM:

  1. On the left sidebar, at the bottom, select Admin Area.
  2. Select Settings > General.
  3. Expand the SCIM Token section and select Generate a SCIM token.
  4. For configuration of your identity provider, save the:
    • Token from the Your SCIM token field.
    • URL from the SCIM API endpoint URL field.

Configure an identity provider

You can configure the following as an identity provider:

note
Other identity providers can work with GitLab but they have not been tested and are not supported. You should contact the provider for support. GitLab support can assist by reviewing related log entries.

Configure Okta

The SAML application created during single sign-on set up for Okta must be set up for SCIM.

Prerequisites:

To configure Okta for SCIM:

  1. Sign in to Okta.
  2. In the upper-right corner, select Admin. The button is not visible from the Admin Area.
  3. In the Application tab, select Browse App Catalog.
  4. Find and select the GitLab application.
  5. On the GitLab application overview page, select Add Integration.
  6. Under Application Visibility, select both checkboxes. The GitLab application does not support SAML authentication so the icon should not be shown to users.
  7. Select Done to finish adding the application.
  8. In the Provisioning tab, select Configure API integration.
  9. Select Enable API integration.
    • For Base URL, paste the URL you copied from SCIM API endpoint URL on the GitLab SCIM configuration page.
    • For API Token, paste the SCIM token you copied from Your SCIM token on the GitLab SCIM configuration page.
  10. To verify the configuration, select Test API Credentials.
  11. Select Save.
  12. After saving the API integration details, new settings tabs appear on the left. Select To App.
  13. Select Edit.
  14. Select the Enable checkbox for both Create Users and Deactivate Users.
  15. Select Save.
  16. Assign users in the Assignments tab. Assigned users are created and managed in your GitLab group.

Remove access

Removing or deactivating a user on the identity provider blocks the user on the GitLab instance, while the SCIM identity remains linked to the GitLab user.

To update the user SCIM identity, use the internal GitLab SCIM API.

Reactivate access

History
  • Introduced in GitLab 16.0 with a flag named skip_saml_identity_destroy_during_scim_deprovision. Disabled by default.
  • Generally available in GitLab 16.4. Feature flag skip_saml_identity_destroy_during_scim_deprovision removed.

After a user is removed or deactivated through SCIM, you can reactivate that user by adding them to the SCIM identity provider.

After the identity provider performs a sync based on its configured schedule, the user’s SCIM identity is reactivated and their GitLab instance access is restored.

Troubleshooting

See our troubleshooting SCIM guide.