Comprehensive GitLab SSO configuration guide
This comprehensive guide covers Single Sign-On (SSO) setup for both GitLab.com and GitLab Self-Managed instances using SAML authentication with multiple identity providers including Okta, Microsoft Entra ID (Azure AD), and Google Workspace.
Overview
GitLab supports SSO through SAML (Security Assertion Markup Language) protocol, enabling users to authenticate using their organization's identity provider. This article covers:
- GitLab.com Group SAML SSO - For GitLab SaaS groups (Premium/Ultimate tiers)
- GitLab Self-Managed SAML - For on-premises GitLab instances
- Identity Provider Setup - Detailed configuration for Okta, Microsoft Entra ID, and Google Workspace
Prerequisites
Before starting, ensure you have:
- GitLab Premium or Ultimate subscription (for GitLab.com groups)
- Administrative access to your identity provider (Okta, Microsoft Entra ID, or Google Workspace)
- Group Owner permissions in GitLab (for GitLab.com)
- Administrative access to GitLab instance (for self-managed)
- Basic understanding of SAML, OAuth 2.1, and identity management concepts
Part 1: GitLab.com group SAML SSO
GitLab.com Group SAML SSO allows users to sign in through their organization's identity provider for accessing specific groups and projects.
Key features
- Group-level SSO - Configure SSO for top-level groups only
- SCIM synchronization - Automatically sync users with groups
- SSO enforcement - Control access through identity provider
- Multiple identity providers - Support for various SAML 2.0 compliant providers
Basic setup process
- Configure your identity provider (detailed in Part 3)
- Set up GitLab Group SAML SSO
- Test and verify configuration
- Configure user access and permissions
GitLab.com SAML configuration
Step 1: access group SAML settings
- Navigate to your GitLab group
- Go to Settings > SAML SSO
- Note the GitLab-provided URLs and identifiers
Step 2: configure SAML settings
| GitLab Setting | Description | Usage |
|---|---|---|
| Identifier | Entity ID for your GitLab group | Used in IdP configuration |
| Assertion Consumer Service URL | Callback URL for SAML responses | Configure in your IdP |
| GitLab single sign-on URL | URL users visit to initiate SSO | Share with users |
| Identity provider single sign-on URL | SSO URL from your IdP | Obtain from IdP configuration |
| Certificate fingerprint | X.509 certificate fingerprint | Obtain from IdP |
Step 3: identity provider configuration
Configure the following in your identity provider:
Required Attributes:
- Name ID: Unique user identifier
- Email: User's email address
- First Name: User's given name
- Last Name: User's family name
Optional Attributes:
- Groups: For group synchronization
- Role: For role-based access control
SSO enforcement options
Transparent SSO enforcement
- Automatically enabled when SAML SSO is configured
- 24-hour session timeout - Users prompted to re-authenticate after 24 hours
- Applies to users with SAML identity - Only affects users who have signed in through SSO
SSO-only authentication enforcement
Enable "Enforce SSO-only authentication for web activity" to:
- Require all group members to use SSO
- Prevent manual user additions
- Block access without valid SSO session
Git and dependency proxy enforcement
Enable "Enforce SSO-only authentication for Git and Dependency Proxy activity" to:
- Require SSO for Git operations (push/pull)
- Require SSO for Dependency Proxy usage
- Apply to all Git activity over SSH and HTTPS