SAML Group Sync - Setup UI in Groups

Problem to solve

As part of SAML group sync, we need to have a place within groups to set up group mapping. The setup experience will be similar to LDAP group mapping.

Intended users

• Cameron (Compliance Manager)
• Sidney (Systems Administrator) -->

User experience goal

Users are able to map groups from their idp to gitlab groups.

Proposal

Create a new table saml_group_links where group_name corresponds to the SAML IdP provided group names and group_id corresponds to the GitLab group this link belongs to.

CREATE TABLE saml_group_links (
  id integer NOT NULL,
  group_name character varying NOT NULL,
  access_level integer NOT NULL,
  group_id integer NOT NULL,
  created_at timestamp without time zone,
  updated_at timestamp without time zone
);

• Each GitLab group can have multiple group links at a specific access level. If a user matches multiple group links for the same GitLab group we use the max access level.
• Create a new 'SAML Group Links' submenu under 'Settings'. This new menu item and page will be accessible on all subgroups when SAML SSO is enabled. UI will be similar to LDAP Group Links and will consist of a form with the following fields and a list of all existing group links:
  • Group Name: Corresponds to group names that will be sent from SAML IdP
  • Access Level: 'Developer', 'Maintainer', etc

The end goal of the attached epic is that the group name from the SamlGroupLink will be matched with the group name passed by the IdP as in the example below. Users will then be assigned the access_level specified in the SamlGroupLink.

The supported way to pass groups via SAML will be the same as is currently supported for self-managed admin and external groups: https://docs.gitlab.com/ee/integration/saml.html#requirements

    <saml2:AttributeStatement>
      <saml2:Attribute Name="Groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Everyone</saml2:AttributeValue>
        <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">DBlessing Test Group</saml2:AttributeValue>
      </saml2:Attribute>
    </saml2:AttributeStatement>

In this initial implementation, we only support attribute statements with the name 'Groups'. This can be configurable in the future.

Further details

This is an Ultimate level feature.

Permissions and Security

Documentation

Availability & Testing

What does success look like, and how can we measure that?

What is the type of buyer?

Is this a cross-stage feature?

Links / references