[go: up one dir, main page]
Skip to content

SAML Group Sync - Self-Managed SAML Implementation

Release notes

Problem to solve

In %13.7 we introduce SAML group sync for GitLab.com. This issue will track implementing this for self-managed!

Proposal

Keep the same group level mapping at the group level and have the self-managed implementation of SAML use it to manage group membershop.

NOTE: If at all possible, this implementation should be compatible with multiple SAML providers as is being proposed by a community contributor in the linked MR.

Estimate of work needed

See #267020 (closed) for merge requests that implemented Group SAML Group Sync

  • Update GroupPolicy to enable :admin_saml_group_links feature when self-managed SAML is enabled.
    • Ensure navbar shows SAML Group Links item.
    • Ensure the Groups::SamlGroupLinksController allows viewing, adding and removing group links with the above complete.
  • Create a new SamlGroupSyncWorker, similar to GroupSamlGroupSyncWorker, that will call Groups::SyncService with appropriate details.
    • Ensure Groups::SyncService works for this use-case. It was built with this use-case in mind so it should only require minor-tweaking, if any.
  • Trigger the worker on sign-in. This needs to happen for the following two cases:
    • New users - triggered from Gitlab::Auth::Saml::User, just like Gitlab::Auth::GroupSaml::User does via the MembershipUpdater.
    • Existing users that get linked on sign-in - triggered from Gitlab::Auth::Saml::IdentityLinker, just like Gitlab::Auth::GroupSaml::IdentityLinker does via the MembershipUpdater.
      • GroupSaml::IdentityLinker inherits from Saml::IdentityLinker so there might be an opportunity for unifying details here. Note: There is no MembershipUpdater for global SAML.
  • Documentation

Availability & Testing

Add E2E test: gitlab-org/quality/testcases#2444 (moved)

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.

Edited by 🤖 GitLab Bot 🤖