Skip to content

Group SSO support for OAuth applications

Problem Description

When OAuth applications attempt to authorize users through GitLab (with GitLab acting as the OAuth authentication provider), the authorization flow completely ignores GitLab's group-level SAML SSO configuration.

Context:

  • OAuth Applications: Applications (both internal GitLab applications like GitLab Pages and external third-party applications) using GitLab as their OAuth provider for user authentication
  • Group SSO: GitLab's group-level SAML-based Single Sign-On feature where GitLab acts as a SAML client connecting to third-party Identity Providers (IdPs) such as Okta, Azure AD, Keycloak, etc.

The issue occurs because there's currently no mechanism in the initial OAuth authorization request to indicate which GitLab group's SSO configuration should be used for authentication.

Suggested Solution

GitLab Pages can determine which top-level namespace a user should access based on the URL context. We can leverage this same concept for OAuth flows.

Add a root_namespace_id query parameter to the initial OAuth authorization redirect:

https://gitlab.example.com/oauth/authorize?root_namespace_id=112&client_id=APP_ID&redirect_uri=REDIRECT_URI&response_type=code&state=STATE&scope=REQUESTED_SCOPES

Proposed Flow

  1. OAuth application (internal like GitLab Pages or external third-party app) initiates authorization with the top_level_namespace_path parameter
  2. GitLab checks if SAML SSO is enabled for the specified top-level group
  3. If group SSO is enabled:
    • User is redirected to the appropriate third-party IdP (Okta, Azure AD, etc.) for SAML authentication
    • After successful SAML authentication at the IdP, user is redirected back to GitLab
    • GitLab then redirects user back to the original /oauth/authorize endpoint to complete the OAuth flow
  4. If group SSO is not enabled, proceed with standard GitLab authentication

This ensures that OAuth applications (both internal GitLab services and external applications) can respect and integrate with GitLab's group-level SAML SSO configurations.

Edited by Naman Jagdish Gala