Requiring SAML group membership on authentication
Description
As a SAML customer of a bigger organization, I'd like to filter whom can log in to our SSO-enabled GitLab EE instance by group membership.
Proposal
Taking the already existing admin_groups
implementation, the application could permit new users to log in only if they are in a specified group. This should be a no-op if no groups are specified.
Links / references
N/A
Documentation blurb
Required groups
This setting works like External Groups
setting. Just like there, your IdP has to pass Group Information to GitLab, you have to tell GitLab where to look for the groups SAML response, and which group membership should be requisite for logging in. When required_groups
is not set or it is empty, anyone with proper authentication will be able to use the service.
Example:
{ name: 'saml',
label: 'Our SAML Provider',
groups_attribute: 'Groups',
required_groups: ['Developers', 'Managers', 'Admins'],
args: {
assertion_consumer_service_url: 'https://gitlab.example.com/users/auth/saml/callback',
idp_cert_fingerprint: '43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8',
idp_sso_target_url: 'https://login.example.com/idp',
issuer: 'https://gitlab.example.com',
name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
} }
Overview
We run a GitLab EE instance in our organization for a certain group of people. However, our SSO provider is corporate-wide, with way more people registered there, than what our budget would ever allow to buy licenses for.
We also require users to comply with our terms (and Work Instructions), which are managed by our internal E-Learning service. We can use SAML groups to identify whom should be allowed to use the application.
There is a proof-of-concept implementation, which works the way we intended.
Use cases
- Control whom can authenticate from a large SSO user base
- Control license usage
Feature checklist
Make sure these are completed before closing the issue, with a link to the relevant commit.
-
Feature assurance -
Documentation -
Added to features.yml