Skip to content

Allow GitLab.com to use the assertion "nickname" and "username" when integrating with SAML

The following page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.

Problem to solve

At this point is not possible to have customers that use SAML and want to connect to GitLab.com to make use of the assertion nickname or username in their configuration. This is implemented for self-managed instances but not yet for our SaaS product

Intended users

Developers

User experience goal

Users will be capable of entering nickname or username into their assertion attributes and it will be identified and used properly by GitLab.com

Proposal

Further details

A case in which this could be useful is this one from a client that uses a non-supported SAML provider which doesn't work properly with the assertion username we tried with the assertion nickname but found out later that the same cannot be used on our SaaS product.

Permissions and Security

Access:Manage

Documentation

The Docs will need to be updated once this issue is finished. Please refer to !61198 (merged)

Availability & Testing

Add a feature test for SaaS where a user is able to login by providing assertion nickname.

Available Tier

What does success look like, and how can we measure that?

Customers are able to use the assertion nickname or username with GitLab.com when integrating SAML

What is the type of buyer?

Is this a cross-stage feature?

Links / references

The following use case shows the inability to use these assertions by a customer who doesn't have a supported SAML tool.

This is the conversation we had with the Access team about the possibility to implement these configuration changes

On second thought it appears it might be dependent on configuration within the app, too. And I think we may have to define an attribute statement within GitLab in order for SAML to allow that in the auth hash

Yeah, I'm pretty sure we would have to specify the expected attribute statements, which we do not currently specify nickname.

It could work for self-managed but not gitlab.com. The docs you linked are most relevant for self-managed. We don't mention username or nickname on https://docs.gitlab.com/ee/user/group/saml_sso/

The reason it works for self-managed, is due to attribute_statements configuration documented at https://docs.gitlab.com/ee/integration/saml.html#attribute_statements. If the admin configures the nickname or username statement, and it's present in the response, it works

Yes, we should create a feature proposal. It wouldn't be too much work to either look up the username/nickname differently or specify a default attribute statement for GitLab.com

Edited by 🤖 GitLab Bot 🤖