Group links for OIDC

Add support for groups links to OIDC similar to LDAP group links and SAML group links.

Original issue

Bind the creation of a gitlab group to the OIDC group based on the provider response, allowing dynamic group creation instead of cherry picking each user when a new user comes in.

added to epic &9406

added groupauthentication and authorization [DEPRECATED] typefeature labels

added devopsmanage sectiondev labels

mentioned in issue #385430 (closed)

@adil.farrukh I don't think we should have this feature. Like LDAP and SAML, I think we should use the Group Link approach to map one or more OIDC groups to one or more GitLab groups.

Edit: This comment was in response to the original issue description, which was an automatic creation of GitLab groups based on OIDC groups.

I have updated the issue to reflect the result of our discussion on the spike issue

changed title from Auto create GitLab groups based on OIDC group response to Group links for OIDC

changed the description

changed milestone to %16.4

marked this issue as related to #209898 (closed)

marked this issue as related to #389321 (closed)

This is exactly what I'm looking for. Two of my customers (both with premium license) would benefit from this feature. Currently we have an external job that syncs group membership, but it has a significant lag.

mentioned in issue #387537 (closed)

The following customer is interested in this capability

• Subscription: GitLab Premium
• Product: self-managed
• Number of Licenses: 85
• Link to request: https://gitlab.zendesk.com/agent/tickets/430049
• Priority: customer priority7
• Why interested: Automate adding members to multiple groups in GitLab when the member is added to Groups in AD.
• Problem they are trying to solve: Reduced workload of manually adding users to groups when using OIDC.
• Current solution for this problem: None (possibly move to LDAP SSO)
• Impact to the customer of not having this: When the person leaves the organization then we have disable the from AD as well as remove from Gitlab groups.
• Questions: Make it available as soon as possible.
• PM to mention: @hsutor

added customer label

created branch 389329-group-links-for-oidc to address this issue

Moving to %Backlog since we don't have feature capacity to tackle this right now

changed milestone to %Backlog

added devopsgovern sectionsec labels and removed devopsmanage sectiondev labels

Another customer is interested in this feature.

• Subscription: GitLab Premium
• Product: self-managed
• Link to request: ZD (Internal)
• Priority: customer priority8
• Why interested:

We are migrating away from our LDAP towards Azure AD

• Problem they are trying to solve:

Currently users can log in from either the LDAP or AAD, but since the groups are only synced from LDAP, users have to log in at least once with their LDAP credentials for the identity to exist in their accounts. This creates a lot of helpdesk tickets as users log in through OIDC/AAD which is simpler, then have access to nothing.

• Current solution for this problem:

Workaround is to either ask users to log in once through LDAP, or manually add their LDAP identity onto their Gitlab account, both of which take Helpdesk time.

• Impact to the customer of not having this:

Wasted time, and we cannot retire the old LDAP.

• PM to mention: @hsutor

@kballon This sounds painful for the customer! Since they're using AAD, could they use SAML group links? Or is there a reason for using OIDC?

added groupauthentication label and removed groupauthentication and authorization [DEPRECATED] label

added authn/provision label

The following customer is interested in this capability

• Subscription: "GitLab Premium"
• Product: self-managed
• Link to request: https://gitlab.zendesk.com/agent/tickets/575753
• Priority: customer priority7
• Why interested:
  • we can replace LDAP-Sync
• Problem they are trying to solve:
  • replace LDAP-Sync
• Current solution for this problem:
  • SAML group links
• Impact to the customer of not having this:
  • need to use either LDAP-Sync or use SAML links
• Questions:
  • where is this planned on the roadmap?
  • can we hope for this in the next 3-6 months?
• PM to mention: @hsutor

@pmurray7 This feature is going to be moved to a different team soon, hence the authn/provision label.

Questions:

• where is this planned on the roadmap?
• can we hope for this in the next 3-6 months?

From a groupauthentication perspective, it's not on the roadmap. We use the authn FY25 roadmap to indicate if something is.

In case it is any different under new ownership, I'll cc @courtmeddaugh here too

Updated labels based on a recent slack (internal) request

assigned to @pmurray7

unassigned @pmurray7

This customer expressed a need in having this feature.

• Subscription: "GitLab Premium"
• Product: self-managed
• Priority: High
• Why interested:
• we can replace LDAP-Sync
• Problem they are trying to solve:
• replace LDAP-Sync
• Current solution for this problem:
• SAML group links, which are not yet allowed by Gitlab to Okta for non public instances: #500767 #391928
• Impact to the customer of not having this:
• need to use either LDAP-Sync and SAML links are more complex to do anyway
• Questions:
• where is this planned on the roadmap?
• can we hope for this in the next 3-6 months?

Hi, I have an additional customer that is interested in this.

• https://gitlab.zendesk.com/agent/tickets/586474 (Internal only)
• Product: self-managed
• Subscription: "GitLab Premium"

added Category:System Access label

The following customer is interested in this capability

• Subscription: GitLab Premium
• Product: self-managed
• Link to request: https://gitlab.zendesk.com/agent/tickets/589100

Note for consideration as we work toward implementation.

I have wondered for a while if we would be best-served to transition from the specific "SAML Group Links" to a more generic "Group Links" concept, at least for everything but LDAP. LDAP has more unique abilities/needs such as the ability to specify an LDAP filter to indicate which users to sync. However, SAML, SCIM, and OIDC just have generic group names.

Besides reducing duplication, the other reason to consider this is some of these technologies work together for Authn/Authz. For example, users may authenticate via SAML or OIDC but their status is synced via SCIM. Additionally, the underlying identity provider is often the same (Okta supports both SCIM and SAML via a single backend directory). To unify group links ensures that multiple technologies work together, not against each other, and lowers administrative burden.

The following customer is interested in this capability

• Subscription: "Premium"

• Product: ~"Saas"

• Ticket : https://gitlab.zendesk.com/agent/tickets/589749

• Why interested: Immediate use case requires creating Azure AD groups directly within a designated Azure Administrative Unit (AU).By scoping GitLab credential access to the AU instead of granting Azure tenant-level access, we aim to significantly reduce security risks.

• AE to mention: @robertcoston

A GitLab Premium customer with 2000 seats would like this issue to be prioritized. Why interested: "ITSecurity department requires GitLab group membership to be bound to OIDC groups". Cc @jwyc .

added groupprovision label and removed groupauthentication label

removed devopssoftware supply chain security label

removed sectionsec label

added devopsfulfillment label

added sectionfulfillment label

removed Category:System Access label