| type | stage | group | info |
|---|---|---|---|
index |
Manage |
Authentication and Authorization |
To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments |
GitLab integrates with a number of OmniAuth providers, and the following external authentication and authorization providers:
- LDAP: Includes Active Directory, Apple Open Directory, Open LDAP, and 389 Server.
- SAML for GitLab.com groups (PREMIUM SAAS)
- Smartcard (PREMIUM SELF)
NOTE: UltraAuth has removed their software which supports OmniAuth integration. We have therefore removed all references to UltraAuth integration.
The external authentication and authorization providers may support the following capabilities. For more information, see the links shown on this page for each external provider.
| Capability | SaaS | Self-managed |
|---|---|---|
| User Provisioning | SCIM SAML 1 |
LDAP 1 SAML 1 OmniAuth Providers 1 SCIM |
| User Detail Updating (not group management) | Not Available | LDAP Sync |
| Authentication | SAML at top-level group (1 provider) | LDAP (multiple providers) Generic OAuth 2.0 SAML (only 1 permitted per unique provider) Kerberos JWT Smartcard OmniAuth Providers (only 1 permitted per unique provider) |
| Provider-to-GitLab Role Sync | SAML Group Sync | LDAP Group Sync SAML Group Sync (GitLab 15.1 and later) |
| User Removal | SCIM (remove user from top-level group) | LDAP (remove user from groups and block from the instance) SCIM |
- Using Just-In-Time (JIT) provisioning, user accounts are created when the user first signs in.
See Test OIDC/OAuth in GitLab to learn how to test OIDC/OAuth authentication in your GitLab instance using your client application.