Self-managed SAML Group Sync
What does this MR do and why?
Related to #285150 (closed). This is part two (part one was tlab-org/gitlab/-/merge_requests/85209).
Adds the new Sidekiq worker that manages group membership based on the groups sent in a SAML response.
Screenshots or screen recordings
These are strongly recommended to assist reviewers and reduce the time to merge your change.
How to set up and validate locally
Setup is unfortunately lengthy.
-
Set up a test SAML IdP. Okta provides free developer accounts at https://developer.okta.com/signup/.
- Find Okta setup notes in GitLab docs at https://docs.gitlab.com/ee/integration/saml.html#okta-setup-notes.
- Also be sure to specify a groups attribute in Okta so groups are sent in the payload (see screenshot). This will automatically send
Everyone
as a group name for every user, or more custom groups can be added in the user directory in Okta.
-
Set up your local GDK with some SAML provider - https://docs.gitlab.com/ee/integration/saml.html
- Be sure the configuration is set up with a specified
groups_attribute
per https://docs.gitlab.com/ee/integration/saml.html#saml-groups. For Okta this should beGroups
- Be sure the configuration is set up with a specified
-
Create a group in GitLab. If you've configured SAML correctly you should now see 'SAML Group Links' in the Settings menu of any given GitLab group.
-
Create a SAML Group Link in one or more groups. Use
Everyone
as the group name unless you've created and assigned more groups in Okta. -
Sign in using SAML as a user in your Okta dev environment.
-
Observe the Sidekiq worker is kicked off and once complete, your user is now a member of the groups where you created the Group Links.
Numbered steps to set up and validate the change are strongly suggested.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.