SAML Group Sync
Introduced for self-managed instances in GitLab 15.1.
groups
in the SAML response.
If changes must be made, ensure either the SAML response includes the groups
attribute
and the AttributeValue
value matches the SAML Group Name in GitLab,
or that all groups are removed from GitLab to disable Group Sync.For a demo of Group Sync using Azure, see Demo: SAML Group Sync.
Configure SAML Group Sync
To configure SAML Group Sync:
- Configure SAML authentication:
- For GitLab self-managed, see SAML OmniAuth Provider.
- For GitLab.com, see SAML SSO for GitLab.com groups.
- Ensure your SAML identity provider sends an attribute statement named
Groups
orgroups
.
Groups
or groups
in the SAML response can be either the group name or the group ID.<saml:AttributeStatement>
<saml:Attribute Name="Groups">
<saml:AttributeValue xsi:type="xs:string">Developers</saml:AttributeValue>
<saml:AttributeValue xsi:type="xs:string">Product Managers</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
Other attribute names such as http://schemas.microsoft.com/ws/2008/06/identity/claims/groups
are not accepted as a source of groups.
See the SAML troubleshooting page
for examples on configuring the required attribute name in the SAML identity provider’s settings.
Configure SAML Group Links
When SAML is enabled, users with the Maintainer or Owner role see a new menu item in group Settings > SAML Group Links. You can configure one or more SAML Group Links to map a SAML identity provider group name to a GitLab role. This can be done for a top-level group or any subgroup.
To link the SAML groups:
- In SAML Group Name, enter the value of the relevant
saml:AttributeValue
. - Choose the role in Access Level.
- Select Save.
- Repeat to add additional group links if required.
If a user is a member of multiple SAML groups mapped to the same GitLab group, the user gets the highest role from the groups. For example, if one group is linked as Guest and another Maintainer, a user in both groups gets the Maintainer role.
Users granted:
- A higher role with Group Sync are displayed as having direct membership of the group.
- A lower or the same role with Group Sync are displayed as having inherited membership of the group.
Automatic member removal
After a group sync, for GitLab subgroups, users who are not members of a mapped SAML group are removed from the group.
saml_group_sync_retain_default_membership
feature flag and can be configured by GitLab.com administrators only.For example, in the following diagram:
- Alex Garcia signs into GitLab and is removed from GitLab Group C because they don’t belong to SAML Group C.
- Sidney Jones belongs to SAML Group C, but is not added to GitLab Group C because they have not yet signed in.