diff --git a/doc/integration/saml.md b/doc/integration/saml.md index 8a2af311a5bb6b831a0ded1c937499a039a30af7..33c9e07d4b081bf0c19b842b1cc30873fb37d93f 100644 --- a/doc/integration/saml.md +++ b/doc/integration/saml.md @@ -1,5 +1,7 @@ # SAML OmniAuth Provider +> This topic is for SAML on self-managed GitLab instances. For SAML on GitLab.com, see [SAML SSO for GitLab.com Groups](../user/group/saml_sso/index.md). + NOTE: **Note:** You need to [enable OmniAuth](omniauth.md) in order to use this. diff --git a/doc/topics/authentication/index.md b/doc/topics/authentication/index.md index 9a1814279491f56d10b6c4a9a45bbd3998ad08ba..a2c7f4d4cefd06376330ee5cf4dcefb8ddf4a37e 100644 --- a/doc/topics/authentication/index.md +++ b/doc/topics/authentication/index.md @@ -30,6 +30,7 @@ This page gathers all the resources for the topic **Authentication** within GitL - [Atlassian Crowd OmniAuth Provider](../../administration/auth/crowd.md) - [CAS OmniAuth Provider](../../integration/cas.md) - [SAML OmniAuth Provider](../../integration/saml.md) + - [SAML for GitLab.com Groups](../../user/group/saml_sso/index.md) - [Okta SSO provider](../../administration/auth/okta.md) - [Kerberos integration (GitLab EE)](https://docs.gitlab.com/ee/integration/kerberos.html) diff --git a/doc/user/group/saml_sso/index.md b/doc/user/group/saml_sso/index.md index d1917894ee8659898d43be67e814cdad48b2c552..fce0f645cbb35bb12ed45fec49183fa7fb2a33cf 100644 --- a/doc/user/group/saml_sso/index.md +++ b/doc/user/group/saml_sso/index.md @@ -1,10 +1,10 @@ -# SAML SSO for Groups **[PREMIUM]** +# SAML SSO for GitLab.com Groups **[PREMIUM]** > Introduced in [GitLab Premium](https://about.gitlab.com/pricing/) 11.0. -This allows SAML to be used for adding users to a group on GitLab.com and other instances where using [site-wide SAML](../../../integration/saml.md) is not possible. +This topic is for SAML on GitLab.com. For SAML on self-managed GitLab instances, see [SAML OmniAuth Provider](../../../integration/saml.md). -When using a group SAML SSO link, users should already have an account on the GitLab instance with the email address that matches the user account from the provider. +Currently SAML on GitLab.com can be used to automatically add users to a group, and does not yet sign users into GitLab.com. Users should already have an account on the GitLab instance, or can create one when logging in for the first time. NOTE: **Note:** SAML SSO for groups is used only as a convenient way to add users and does not sync users between providers. Group owners will still need to manage user accounts, such as removing users when necessary. @@ -12,15 +12,18 @@ NOTE: **Note:** SAML SSO for groups is used only as a convenient way to add user 1. Navigate to the group and click Settings -> SAML SSO. 1. Configure your SAML server using the **Assertion consumer service URL** and **Issuer**. See [your identity provider's documentation](#providers) for more details. +1. Configure the SAML response to include a NameID that uniquely identifies each user. 1. Configure required assertions using the table below. 1. Find the SSO URL from your Identity Provider and enter it on GitLab. 1. Find and enter the fingerprint for the SAML token signing certificate. ## NameID -GitLab.com uses the SAML NameID to identify users, so it must be present in the SAML response and unique to the user. +GitLab.com uses the SAML NameID to identify users. The NameID element: -The value should be something that will never change for that user, such as a unique ID or username. Email could also be used as the NameID, but only if it can be guaranteed to never change. +- Is a required field in the SAML response. +- Must be unique to each user. +- Must be a persistent value that will never change, such as a unique ID or username. Email could also be used as the NameID, but only if it can be guaranteed to never change. ## Assertions