- Set up the Beyond Identity integration for your instance
- GPG key verification
- Skip push check for service accounts
- Exclude groups or projects from the Beyond Identity check
Beyond Identity
- Introduced in GitLab 16.9.
Configure GitLab to verify GPG keys issued by Beyond Identity added to a user profile.
Set up the Beyond Identity integration for your instance
Prerequisites:
- You must have administrator access to the GitLab instance.
- The email address used in the GitLab profile must be the same as the email assigned to the key in the Beyond Identity Authenticator.
- You must have a Beyond Identity API token. You can request it from their Sales Engineer.
To enable the Beyond Identity integration for your instance:
- Sign in to GitLab as an administrator.
- On the left sidebar, at the bottom, select Admin.
- Select Settings > Integrations.
- Select Beyond Identity.
- Under Enable integration, select the Active checkbox.
- In API token, paste the API token you received from Beyond Identity.
- Select Save changes.
The Beyond Identity integration for your instance is now enabled.
GPG key verification
When a user adds a GPG key to their profile, the key is verified:
- If the key wasn’t issued by the Beyond Identity Authenticator, it’s accepted.
- If the key was issued by the Beyond Identity Authenticator, but the key is invalid, it’s rejected. For example: the email used in the user’s GitLab profile is different from the email assigned to the key in the Beyond Identity Authenticator.
When a user pushes a commit, GitLab checks that the commit was signed by a GPG signature uploaded to the user profile. If the signature cannot be verified, the push is rejected. Web commits are accepted without a signature.
Skip push check for service accounts
- Introduced in GitLab 16.11.
Prerequisites:
- You must have administrator access to the GitLab instance.
To skip the push check for service accounts:
- Sign in to GitLab as an administrator.
- On the left sidebar, at the bottom, select Admin.
- Select Settings > Integrations.
- Select Beyond Identity.
- Select the Exclude service accounts checkbox.
- Select Save changes.
Exclude groups or projects from the Beyond Identity check
-
Introduced in GitLab 17.0 with a flag named
beyond_identity_exclusions
. Enabled by default. - Ability to exclude groups introduced in GitLab 17.1.
-
Generally available in GitLab 17.7. Feature flag
beyond_identity_exclusions
removed.
Prerequisites:
- You must have administrator access to the GitLab instance.
To exclude groups or projects from the Beyond Identity check:
- Sign in to GitLab as an administrator.
- On the left sidebar, at the bottom, select Admin.
- Select Settings > Integrations.
- Select Beyond Identity.
- Select the Exclusions tab.
- Select Add exclusions.
- On the drawer, search and select groups or projects to exclude.
- Select Add exclusions.