diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2019-11-07 09:06:12 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2019-11-07 09:06:12 +0300 |
commit | 2a87ae2e368ec6fbb1e75b89bc092ba2fd7eb913 (patch) | |
tree | 4d6b995e3292562627ddeeacbc5b5eba0ce64032 /doc | |
parent | eb0d9e20c5a81b0a556308ae3fc8015fcc3c9621 (diff) |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'doc')
-rw-r--r-- | doc/development/fe_guide/development_process.md | 2 | ||||
-rw-r--r-- | doc/user/group/saml_sso/index.md | 40 | ||||
-rw-r--r-- | doc/user/group/saml_sso/scim_setup.md | 12 | ||||
-rw-r--r-- | doc/user/project/issues/design_management.md | 4 |
4 files changed, 39 insertions, 19 deletions
diff --git a/doc/development/fe_guide/development_process.md b/doc/development/fe_guide/development_process.md index 3724bf60757..5b02098f020 100644 --- a/doc/development/fe_guide/development_process.md +++ b/doc/development/fe_guide/development_process.md @@ -73,7 +73,7 @@ With the purpose of being [respectful of others' time](https://about.gitlab.com/ - Before assigning to a maintainer, assign to a reviewer. - If you assigned a merge request, or pinged someone directly, keep in mind that we work in different timezones and asynchronously, so be patient. Unless the merge request is urgent (like fixing a broken master), please don't DM or reassign the merge request before waiting for a 24-hour window. - If you have a question regarding your merge request/issue, make it on the merge request/issue. When we DM each other, we no longer have a SSOT and [no one else is able to contribute](https://about.gitlab.com/handbook/values/#public-by-default). -- When you have a big WIP merge request with many changes, you're adivsed to get the review started before adding/removing significant code. Make sure it is assigned well before the release cut-off, as the reviewer(s)/maintainer(s) would always prioritize reviewing finished MRs before WIP ones. +- When you have a big WIP merge request with many changes, you're advised to get the review started before adding/removing significant code. Make sure it is assigned well before the release cut-off, as the reviewer(s)/maintainer(s) would always prioritize reviewing finished MRs before WIP ones. - Make sure to remove the WIP title before the last round of review. ### Share your work early diff --git a/doc/user/group/saml_sso/index.md b/doc/user/group/saml_sso/index.md index ee55d7e2a11..1bf03acc7ba 100644 --- a/doc/user/group/saml_sso/index.md +++ b/doc/user/group/saml_sso/index.md @@ -26,6 +26,23 @@ SAML SSO for GitLab.com groups does not sync users between providers without usi ![Issuer and callback for configuring SAML identity provider with GitLab.com](img/group_saml_configuration_information.png) +### NameID + +GitLab.com uses the SAML NameID to identify users. The NameID element: + +- Is a required field in the SAML response. +- Must be unique to each user. +- Must be a persistent value that will never change, such as a randomly generated unique user ID. +- Is case sensitive. The NameID must match exactly on subsequent login attempts, so should not rely on user input that could change between upper and lower case. +- Should not be an email address or username. We strongly recommend against these as it is hard to guarantee they will never change, for example when a person's name changes. Email addresses are also case-insensitive, which can result in users being unable to sign in. + +CAUTION: **Warning:** +Once users have signed into GitLab using the SSO SAML setup, changing the `NameID` will break the configuration and potentially lock users out of the GitLab group. + +#### NameID Format + +We recommend setting the NameID format to `Persistent` unless using a field (such as email) that requires a different format. + ### SSO enforcement SSO enforcement was: @@ -58,25 +75,16 @@ Since use of the group managed account requires the use of SSO, users of group m - The user will be unable to access the group (their credentials will no longer work on the identity provider when prompted to SSO). - Contributions in the group (e.g. issues, merge requests) will remain intact. -### NameID - -GitLab.com uses the SAML NameID to identify users. The NameID element: - -- Is a required field in the SAML response. -- Must be unique to each user. -- Must be a persistent value that will never change, such as a randomly generated unique user ID. -- Is case sensitive. The NameID must match exactly on subsequent login attempts, so should not rely on user input that could change between upper and lower case. - -We strongly recommend against using Email as the NameID as it is hard to guarantee it will never change, for example when a person's name changes. Similarly usernames should be avoided if possible. +#### Assertions -### Assertions +When using Group Manged Accounts, the following user details need to be passed to GitLab as SAML Assertions in order for us to be able to create a user: -| Field | Supported keys | -|-------|----------------| +| Field | Supported keys | +|-----------------|----------------| | Email (required)| `email`, `mail` | -| Full Name | `name` | -| First Name | `first_name`, `firstname`, `firstName` | -| Last Name | `last_name`, `lastname`, `lastName` | +| Full Name | `name` | +| First Name | `first_name`, `firstname`, `firstName` | +| Last Name | `last_name`, `lastname`, `lastName` | ## Metadata configuration diff --git a/doc/user/group/saml_sso/scim_setup.md b/doc/user/group/saml_sso/scim_setup.md index 7e2b9f7513b..392b27bb42f 100644 --- a/doc/user/group/saml_sso/scim_setup.md +++ b/doc/user/group/saml_sso/scim_setup.md @@ -66,8 +66,13 @@ You can then test the connection by clicking on **Test Connection**. If the conn 1. Click **Delete** next to the `mail` mapping. 1. Map `userPrincipalName` to `emails[type eq "work"].value` and change it's **Matching precedence** to `2`. 1. Map `mailNickname` to `userName`. -1. Create a new mapping by clicking **Add New Mapping** then set **Source attribute** to `objectId`, **Target attribute** to `id`, **Match objects using this attribute** to `Yes`, and **Matching precedence** to `1`. -1. Create a new mapping by clicking **Add New Mapping** then set **Source attribute** to `objectId`, and **Target attribute** to `externalId`. +1. Determine how GitLab will uniquely identify users. + + - Use `objectId` unless users already have SAML linked for your group. + - If you already have users with SAML linked then use the `Name ID` value from the [SAML configuration](#azure). Using a different value will likely cause duplicate users and prevent users from accessing the GitLab group. + +1. Create a new mapping by clicking **Add New Mapping** then set **Source attribute** to the unique identifier determined above, **Target attribute** to `id`, **Match objects using this attribute** to `Yes`, and **Matching precedence** to `1`. +1. Create a new mapping by clicking **Add New Mapping** then set **Source attribute** to the unique identifier determined above, and **Target attribute** to `externalId`. 1. Click the `userPrincipalName` mapping and change **Match objects using this attribute** to `No`. Save your changes and you should have the following configuration: @@ -99,6 +104,9 @@ You can then test the connection by clicking on **Test Connection**. If the conn Once enabled, the synchronization details and any errors will appear on the bottom of the **Provisioning** screen, together with a link to the audit logs. +CAUTION: **Warning:** +Once synchronized, changing the field mapped to `id` and `externalId` will likely cause provisioning errors, duplicate users, and prevent existing users from accessing the GitLab group. + ## Troubleshooting ### Testing Azure connection: invalid credentials diff --git a/doc/user/project/issues/design_management.md b/doc/user/project/issues/design_management.md index 24044310451..c9f06c6339e 100644 --- a/doc/user/project/issues/design_management.md +++ b/doc/user/project/issues/design_management.md @@ -33,6 +33,10 @@ to be enabled: project level, navigate to your project's **Settings > General**, expand **Visibility, project features, permissions** and enable **Git Large File Storage**. +Design Management requires that projects are using +[hashed storage](../../../administration/repository_storage_types.html#hashed-storage) +(the default storage type since v10.0). + ## Limitations - Files uploaded must have a file extension of either `png`, `jpg`, `jpeg`, `gif`, `bmp`, `tiff` or `ico`. |