diff options
Diffstat (limited to 'doc/user/group/saml_sso')
| -rw-r--r-- | doc/user/group/saml_sso/img/member_enterprise_badge_v14_0.png | bin | 0 -> 31502 bytes | |||
| -rw-r--r-- | doc/user/group/saml_sso/img/saml_group_links_v13_9.png | bin | 0 -> 162931 bytes | |||
| -rw-r--r-- | doc/user/group/saml_sso/index.md | 21 | ||||
| -rw-r--r-- | doc/user/group/saml_sso/scim_setup.md | 4 |
4 files changed, 19 insertions, 6 deletions
diff --git a/doc/user/group/saml_sso/img/member_enterprise_badge_v14_0.png b/doc/user/group/saml_sso/img/member_enterprise_badge_v14_0.png Binary files differnew file mode 100644 index 00000000000..f9534b14a51 --- /dev/null +++ b/doc/user/group/saml_sso/img/member_enterprise_badge_v14_0.png diff --git a/doc/user/group/saml_sso/img/saml_group_links_v13_9.png b/doc/user/group/saml_sso/img/saml_group_links_v13_9.png Binary files differnew file mode 100644 index 00000000000..9bd2473f90c --- /dev/null +++ b/doc/user/group/saml_sso/img/saml_group_links_v13_9.png diff --git a/doc/user/group/saml_sso/index.md b/doc/user/group/saml_sso/index.md index 1864547c57f..8a5cdb79186 100644 --- a/doc/user/group/saml_sso/index.md +++ b/doc/user/group/saml_sso/index.md @@ -152,6 +152,10 @@ We recommend: - **Unique User Identifier (Name identifier)** set to `user.objectID`. - **nameid-format** set to persistent. +If using [Group Sync](#group-sync), customize the name of the group claim to match the required attribute. + +See the [troubleshooting page](../../../administration/troubleshooting/group_saml_scim.md#azure-active-directory) for an example configuration. + ### Okta setup notes Please follow the Okta documentation on [setting up a SAML application in Okta](https://developer.okta.com/docs/guides/build-sso-integration/saml2/overview/) with the notes below for consideration. @@ -324,18 +328,23 @@ Ensure your SAML identity provider sends an attribute statement named `Groups` o </saml:AttributeStatement> ``` +NOTE: +To inspect the SAML response, you can use one of these [SAML debugging tools](#saml-debugging-tools). +Also note that the value for `Groups` or `groups` in the SAML reponse can be either the group name or +the group ID depending what the IdP sends to GitLab. + When SAML SSO is enabled for the top-level group, `Maintainer` and `Owner` level users -see a new menu item in group **Settings > SAML Group Links**. Each group (parent or subgroup) can specify -one or more group links to map a SAML identity provider group name to a GitLab access level. +see a new menu item in group **Settings > SAML Group Links**. You can configure one or more **SAML Group Links** to map +a SAML identity provider group name to a GitLab Access Level. This can be done for the parent group or the subgroups. -To link the SAML `Freelancers` group in the attribute statement example above: +To link the SAML groups from the `saml:AttributeStatement` example above: -1. Enter `Freelancers` in the `SAML Group Name` field. +1. Enter the value of `saml:AttributeValue` in the `SAML Group Name` field. 1. Choose the desired `Access Level`. 1. **Save** the group link. 1. Repeat to add additional group links if desired. - + If a user is a member of multiple SAML groups mapped to the same GitLab group, the user gets the highest access level from the groups. For example, if one group @@ -450,7 +459,7 @@ SAML configuration for GitLab.com is mostly the same as for self-managed instanc However, self-managed GitLab instances use a configuration file that supports more options as described in the external [OmniAuth SAML documentation](https://github.com/omniauth/omniauth-saml/). Internally that uses the [`ruby-saml` library](https://github.com/onelogin/ruby-saml), so we sometimes check there to verify low level details of less commonly used options. -It can also help to compare the XML response from your provider with our [example XML used for internal testing](https://gitlab.com/gitlab-org/gitlab/blob/master/ee/spec/fixtures/saml/response.xml). +It can also help to compare the XML response from your provider with our [example XML used for internal testing](https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/spec/fixtures/saml/response.xml). ### Searching Rails log diff --git a/doc/user/group/saml_sso/scim_setup.md b/doc/user/group/saml_sso/scim_setup.md index 65b3e2d095d..fd75c49fa6c 100644 --- a/doc/user/group/saml_sso/scim_setup.md +++ b/doc/user/group/saml_sso/scim_setup.md @@ -175,6 +175,10 @@ We recommend users do this prior to turning on sync, because while synchronizati New users and existing users on subsequent visits can access the group through the identify provider's dashboard or by visiting links directly. +[In GitLab 14.0 and later](https://gitlab.com/gitlab-org/gitlab/-/issues/325712), GitLab users created with a SCIM identity display with an **Enterprise** badge in the **Members** view. + + + For role information, please see the [Group SAML page](index.md#user-access-and-management) ### Blocking access |
