Skip to content

Add organization and job title to user synced attributes

Anton Smithrequested to merge
feat/add-user-profile-fields-to-sync into master

What does this MR do and why?

This change allows OAuth providers to automatically set and manage a user's organization and job title information, similar to how we sync emails, names and location.

This was introduced for instance level SAML, but it technically should work with other OmniAuth providers. It will not work with Group SAML however.

References

Please include cross links to any resources that are relevant to this MR. This will give reviewers and future readers helpful context to give an efficient review of the changes introduced.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After
image image

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

The easiest way to validate this is to setup the GDK with Okta:

  1. In Okta Developer, create an SAML 2.0 application for your GDK instance. Ensure you setup the organization and job_title attribute statements.

    image

    image

  2. Assign a user to the app you created in (1). Ensure they have the user.organization and user.title fields populated on their Okta profile.

  3. Configure GDK with an Okta Developer application. Restart GDK for the changes to take effect:

    # config/gitlab.yml
development:
  <<: *base
  omniauth:
    sync_profile_from_provider: ['saml']
    sync_profile_attributes: ['organization', 'job_title']
    providers:
    - {
      name: 'saml',
      args: {
        assertion_consumer_service_url: 'http://gdk.test:3000/users/auth/saml/callback',
        idp_cert_fingerprint: '11:9b:9e:02:79:59:cd:b7:c6:62:cf:d0:75:d9:e2:ef:38:4e:44:5f',
        idp_sso_target_url: 'https://dev-xxxxxxxxx.okta.com/app/dev-12175727_gdktest3000_1/xxxxxxxxxxxxxxxx/sso/saml',
        issuer: 'http:///gdk.test:3000',
        name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
        attribute_statements: { job_title: ['job_title'], organization: ['organization'] }
      }
    }

  4. On the GDK sign in page, sign in via Okta.

  5. Once you have authenticated via Okta and you are redirected back to GitLab, view your profile.

  6. On your profile page, you should see the job title and organization configured in step (2) - and the values will be read only.

Edited by Anton Smith

Merge request reports