Commit c508488a authored by Peter Hegman's avatar Peter Hegman Committed by Illya Klymov

Update SAML Group Sync documentation and add link from UI

parent c8a5ead0
...@@ -356,10 +356,88 @@ the user gets the highest access level from the groups. For example, if one grou ...@@ -356,10 +356,88 @@ the user gets the highest access level from the groups. For example, if one grou
is linked as `Guest` and another `Maintainer`, a user in both groups gets `Maintainer` is linked as `Guest` and another `Maintainer`, a user in both groups gets `Maintainer`
access. access.
Users who are not members of any mapped SAML groups are removed from the GitLab group. ### Automatic member removal
You can prevent accidental member removal. For example, if you have a SAML group link for `Owner` level access After a group sync, users who are not members of a mapped SAML group are removed from
in a top-level group, you should also set up a group link for all other members. the GitLab group.
For example, in the following diagram:
- Alex Garcia signs into GitLab and is removed from GitLab Group C because they don't belong
to SAML Group C.
- Sidney Jones belongs to SAML Group C, but is not added to GitLab Group C because they have
not yet signed in.
```mermaid
graph TB
subgraph SAML users
SAMLUserA[Sidney Jones]
SAMLUserB[Zhang Wei]
SAMLUserC[Alex Garcia]
SAMLUserD[Charlie Smith]
end
subgraph SAML groups
SAMLGroupA["Group A"] --> SAMLGroupB["Group B"]
SAMLGroupA --> SAMLGroupC["Group C"]
SAMLGroupA --> SAMLGroupD["Group D"]
end
SAMLGroupB --> |Member|SAMLUserA
SAMLGroupB --> |Member|SAMLUserB
SAMLGroupC --> |Member|SAMLUserA
SAMLGroupC --> |Member|SAMLUserB
SAMLGroupD --> |Member|SAMLUserD
SAMLGroupD --> |Member|SAMLUserC
```
```mermaid
graph TB
subgraph GitLab users
GitLabUserA[Sidney Jones]
GitLabUserB[Zhang Wei]
GitLabUserC[Alex Garcia]
GitLabUserD[Charlie Smith]
end
subgraph GitLab groups
GitLabGroupA["Group A (SAML configured)"] --> GitLabGroupB["Group B (SAML Group Link not configured)"]
GitLabGroupA --> GitLabGroupC["Group C (SAML Group Link configured)"]
GitLabGroupA --> GitLabGroupD["Group D (SAML Group Link configured)"]
end
GitLabGroupB --> |Member|GitLabUserA
GitLabGroupC --> |Member|GitLabUserB
GitLabGroupC --> |Member|GitLabUserC
GitLabGroupD --> |Member|GitLabUserC
GitLabGroupD --> |Member|GitLabUserD
```
```mermaid
graph TB
subgraph GitLab users
GitLabUserA[Sidney Jones]
GitLabUserB[Zhang Wei]
GitLabUserC[Alex Garcia]
GitLabUserD[Charlie Smith]
end
subgraph GitLab groups after Alex Garcia signs in
GitLabGroupA[Group A]
GitLabGroupA["Group A (SAML configured)"] --> GitLabGroupB["Group B (SAML Group Link not configured)"]
GitLabGroupA --> GitLabGroupC["Group C (SAML Group Link configured)"]
GitLabGroupA --> GitLabGroupD["Group D (SAML Group Link configured)"]
end
GitLabGroupB --> |Member|GitLabUserA
GitLabGroupC --> |Member|GitLabUserB
GitLabGroupD --> |Member|GitLabUserC
GitLabGroupD --> |Member|GitLabUserD
```
## Passwords for users created via SAML SSO for Groups ## Passwords for users created via SAML SSO for Groups
......
- page_title s_('GroupSAML|SAML Group Links') - page_title s_('GroupSAML|SAML Group Links')
%h3.page-title= s_('GroupSAML|SAML Group Links') %h3.page-title= s_('GroupSAML|SAML Group Links')
%p.gl-mb-0= s_('GroupSAML|Use SAML group links to manage group membership using SAML.')
%p
= html_escape(s_('%{strongOpen}Warning:%{strongClose} SAML group links can cause GitLab to automatically remove members from groups.')) % { strongOpen: '<strong>'.html_safe, strongClose: '</strong>'.html_safe }
= link_to _('Learn more.'), help_page_path('user/group/saml_sso/index', anchor: 'automatic-member-removal')
= render 'form', group: @group = render 'form', group: @group
= render 'saml_group_links', group: @group = render 'saml_group_links', group: @group
...@@ -897,6 +897,9 @@ msgstr "" ...@@ -897,6 +897,9 @@ msgstr ""
msgid "%{state} epics" msgid "%{state} epics"
msgstr "" msgstr ""
msgid "%{strongOpen}Warning:%{strongClose} SAML group links can cause GitLab to automatically remove members from groups."
msgstr ""
msgid "%{strongStart}Tip:%{strongEnd} You can also checkout merge requests locally by %{linkStart}following these guidelines%{linkEnd}" msgid "%{strongStart}Tip:%{strongEnd} You can also checkout merge requests locally by %{linkStart}following these guidelines%{linkEnd}"
msgstr "" msgstr ""
...@@ -16108,6 +16111,9 @@ msgstr "" ...@@ -16108,6 +16111,9 @@ msgstr ""
msgid "GroupSAML|To be able to prohibit outer forks, you first need to enforce dedicate group managed accounts." msgid "GroupSAML|To be able to prohibit outer forks, you first need to enforce dedicate group managed accounts."
msgstr "" msgstr ""
msgid "GroupSAML|Use SAML group links to manage group membership using SAML."
msgstr ""
msgid "GroupSAML|Valid SAML Response" msgid "GroupSAML|Valid SAML Response"
msgstr "" msgstr ""
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment