@@ -73,7 +73,7 @@ With the purpose of being [respectful of others' time](https://about.gitlab.com/
...
@@ -73,7 +73,7 @@ With the purpose of being [respectful of others' time](https://about.gitlab.com/
- Before assigning to a maintainer, assign to a reviewer.
- Before assigning to a maintainer, assign to a reviewer.
- If you assigned a merge request, or pinged someone directly, keep in mind that we work in different timezones and asynchronously, so be patient. Unless the merge request is urgent (like fixing a broken master), please don't DM or reassign the merge request before waiting for a 24-hour window.
- If you assigned a merge request, or pinged someone directly, keep in mind that we work in different timezones and asynchronously, so be patient. Unless the merge request is urgent (like fixing a broken master), please don't DM or reassign the merge request before waiting for a 24-hour window.
- If you have a question regarding your merge request/issue, make it on the merge request/issue. When we DM each other, we no longer have a SSOT and [no one else is able to contribute](https://about.gitlab.com/handbook/values/#public-by-default).
- If you have a question regarding your merge request/issue, make it on the merge request/issue. When we DM each other, we no longer have a SSOT and [no one else is able to contribute](https://about.gitlab.com/handbook/values/#public-by-default).
- When you have a big WIP merge request with many changes, you're adivsed to get the review started before adding/removing significant code. Make sure it is assigned well before the release cut-off, as the reviewer(s)/maintainer(s) would always prioritize reviewing finished MRs before WIP ones.
- When you have a big WIP merge request with many changes, you're advised to get the review started before adding/removing significant code. Make sure it is assigned well before the release cut-off, as the reviewer(s)/maintainer(s) would always prioritize reviewing finished MRs before WIP ones.
- Make sure to remove the WIP title before the last round of review.
- Make sure to remove the WIP title before the last round of review.
@@ -26,6 +26,23 @@ SAML SSO for GitLab.com groups does not sync users between providers without usi
...
@@ -26,6 +26,23 @@ SAML SSO for GitLab.com groups does not sync users between providers without usi
![Issuer and callback for configuring SAML identity provider with GitLab.com](img/group_saml_configuration_information.png)
![Issuer and callback for configuring SAML identity provider with GitLab.com](img/group_saml_configuration_information.png)
### NameID
GitLab.com uses the SAML NameID to identify users. The NameID element:
- Is a required field in the SAML response.
- Must be unique to each user.
- Must be a persistent value that will never change, such as a randomly generated unique user ID.
- Is case sensitive. The NameID must match exactly on subsequent login attempts, so should not rely on user input that could change between upper and lower case.
- Should not be an email address or username. We strongly recommend against these as it is hard to guarantee they will never change, for example when a person's name changes. Email addresses are also case-insensitive, which can result in users being unable to sign in.
CAUTION: **Warning:**
Once users have signed into GitLab using the SSO SAML setup, changing the `NameID` will break the configuration and potentially lock users out of the GitLab group.
#### NameID Format
We recommend setting the NameID format to `Persistent` unless using a field (such as email) that requires a different format.
### SSO enforcement
### SSO enforcement
SSO enforcement was:
SSO enforcement was:
...
@@ -58,21 +75,12 @@ Since use of the group managed account requires the use of SSO, users of group m
...
@@ -58,21 +75,12 @@ Since use of the group managed account requires the use of SSO, users of group m
- The user will be unable to access the group (their credentials will no longer work on the identity provider when prompted to SSO).
- The user will be unable to access the group (their credentials will no longer work on the identity provider when prompted to SSO).
- Contributions in the group (e.g. issues, merge requests) will remain intact.
- Contributions in the group (e.g. issues, merge requests) will remain intact.
### NameID
#### Assertions
GitLab.com uses the SAML NameID to identify users. The NameID element:
- Is a required field in the SAML response.
- Must be unique to each user.
- Must be a persistent value that will never change, such as a randomly generated unique user ID.
- Is case sensitive. The NameID must match exactly on subsequent login attempts, so should not rely on user input that could change between upper and lower case.
We strongly recommend against using Email as the NameID as it is hard to guarantee it will never change, for example when a person's name changes. Similarly usernames should be avoided if possible.
### Assertions
When using Group Manged Accounts, the following user details need to be passed to GitLab as SAML Assertions in order for us to be able to create a user:
| Field | Supported keys |
| Field | Supported keys |
|-------|----------------|
|-----------------|----------------|
| Email (required)| `email`, `mail` |
| Email (required)| `email`, `mail` |
| Full Name | `name` |
| Full Name | `name` |
| First Name | `first_name`, `firstname`, `firstName` |
| First Name | `first_name`, `firstname`, `firstName` |
@@ -66,8 +66,13 @@ You can then test the connection by clicking on **Test Connection**. If the conn
...
@@ -66,8 +66,13 @@ You can then test the connection by clicking on **Test Connection**. If the conn
1. Click **Delete** next to the `mail` mapping.
1. Click **Delete** next to the `mail` mapping.
1. Map `userPrincipalName` to `emails[type eq "work"].value` and change it's **Matching precedence** to `2`.
1. Map `userPrincipalName` to `emails[type eq "work"].value` and change it's **Matching precedence** to `2`.
1. Map `mailNickname` to `userName`.
1. Map `mailNickname` to `userName`.
1. Create a new mapping by clicking **Add New Mapping** then set **Source attribute** to `objectId`, **Target attribute** to `id`, **Match objects using this attribute** to `Yes`, and **Matching precedence** to `1`.
1. Determine how GitLab will uniquely identify users.
1. Create a new mapping by clicking **Add New Mapping** then set **Source attribute** to `objectId`, and **Target attribute** to `externalId`.
- Use `objectId` unless users already have SAML linked for your group.
- If you already have users with SAML linked then use the `Name ID` value from the [SAML configuration](#azure). Using a different value will likely cause duplicate users and prevent users from accessing the GitLab group.
1. Create a new mapping by clicking **Add New Mapping** then set **Source attribute** to the unique identifier determined above, **Target attribute** to `id`, **Match objects using this attribute** to `Yes`, and **Matching precedence** to `1`.
1. Create a new mapping by clicking **Add New Mapping** then set **Source attribute** to the unique identifier determined above, and **Target attribute** to `externalId`.
1. Click the `userPrincipalName` mapping and change **Match objects using this attribute** to `No`.
1. Click the `userPrincipalName` mapping and change **Match objects using this attribute** to `No`.
Save your changes and you should have the following configuration:
Save your changes and you should have the following configuration:
...
@@ -99,6 +104,9 @@ You can then test the connection by clicking on **Test Connection**. If the conn
...
@@ -99,6 +104,9 @@ You can then test the connection by clicking on **Test Connection**. If the conn
Once enabled, the synchronization details and any errors will appear on the
Once enabled, the synchronization details and any errors will appear on the
bottom of the **Provisioning** screen, together with a link to the audit logs.
bottom of the **Provisioning** screen, together with a link to the audit logs.
CAUTION: **Warning:**
Once synchronized, changing the field mapped to `id` and `externalId` will likely cause provisioning errors, duplicate users, and prevent existing users from accessing the GitLab group.
msgid "GrafanaIntegration|Embed Grafana charts in GitLab issues."
msgid "GrafanaIntegration|Embed Grafana charts in GitLab issues."
msgstr ""
msgstr ""
...
@@ -13483,12 +13483,24 @@ msgstr ""
...
@@ -13483,12 +13483,24 @@ msgstr ""
msgid "Promotions|Epics let you manage your portfolio of projects more efficiently and with less effort by tracking groups of issues that share a theme, across projects and milestones."
msgid "Promotions|Epics let you manage your portfolio of projects more efficiently and with less effort by tracking groups of issues that share a theme, across projects and milestones."
msgstr ""
msgstr ""
msgid "Promotions|Learn more"
msgstr ""
msgid "Promotions|See the other features in the %{subscription_link_start}bronze plan%{subscriptions_link_end}"
msgstr ""
msgid "Promotions|This feature is locked."
msgid "Promotions|This feature is locked."
msgstr ""
msgstr ""
msgid "Promotions|Upgrade plan"
msgid "Promotions|Upgrade plan"
msgstr ""
msgstr ""
msgid "Promotions|Weighting your issue"
msgstr ""
msgid "Promotions|When you have a lot of issues, it can be hard to get an overview. By adding a weight to your issues, you can get a better idea of the effort, cost, required time, or value of each, and so better manage them."
msgstr ""
msgid "Prompt users to upload SSH keys"
msgid "Prompt users to upload SSH keys"
msgstr ""
msgstr ""
...
@@ -18227,9 +18239,6 @@ msgstr ""
...
@@ -18227,9 +18239,6 @@ msgstr ""
msgid "Upgrade your plan to activate Group Webhooks."
msgid "Upgrade your plan to activate Group Webhooks."
msgstr ""
msgstr ""
msgid "Upgrade your plan to activate Issue weight."
msgstr ""
msgid "Upgrade your plan to improve Issue boards."
msgid "Upgrade your plan to improve Issue boards."