SAML Group Sync - Self-Managed SAML Implementation
Release notes
Problem to solve
In %13.7 we introduce SAML group sync for GitLab.com. This issue will track implementing this for self-managed!
Proposal
Keep the same group level mapping at the group level and have the self-managed implementation of SAML use it to manage group membershop.
NOTE: If at all possible, this implementation should be compatible with multiple SAML providers as is being proposed by a community contributor in the linked MR.
Estimate of work needed
See #267020 (closed) for merge requests that implemented Group SAML Group Sync
- Update
GroupPolicy
to enable:admin_saml_group_links
feature when self-managed SAML is enabled.- Ensure navbar shows
SAML Group Links
item. - Ensure the
Groups::SamlGroupLinksController
allows viewing, adding and removing group links with the above complete.
- Ensure navbar shows
- Create a new
SamlGroupSyncWorker
, similar toGroupSamlGroupSyncWorker
, that will callGroups::SyncService
with appropriate details.- Ensure
Groups::SyncService
works for this use-case. It was built with this use-case in mind so it should only require minor-tweaking, if any.
- Ensure
- Trigger the worker on sign-in. This needs to happen for the following two cases:
- New users - triggered from
Gitlab::Auth::Saml::User
, just likeGitlab::Auth::GroupSaml::User
does via theMembershipUpdater
. - Existing users that get linked on sign-in - triggered from
Gitlab::Auth::Saml::IdentityLinker
, just likeGitlab::Auth::GroupSaml::IdentityLinker
does via theMembershipUpdater
.-
GroupSaml::IdentityLinker
inherits fromSaml::IdentityLinker
so there might be an opportunity for unifying details here. Note: There is noMembershipUpdater
for global SAML.
-
- New users - triggered from
- Documentation
Availability & Testing
Add E2E test: gitlab-org/quality/testcases#2444 (moved)
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.