@@ -25,7 +25,7 @@ SAML SSO is only configurable at the top-level group.
1. Navigate to the group and select **Settings > SAML SSO**.
1. Configure your SAML server using the **Assertion consumer service URL**, **Identifier**, and **GitLab single sign-on URL**. Alternatively GitLab provides [metadata XML configuration](#metadata-configuration). See [specific identity provider documentation](#providers) for more details.
1. Configure the SAML response to include a NameID that uniquely identifies each user.
1. Configure [required assertions](group_managed_accounts.md#assertions) if using [Group Managed Accounts](group_managed_accounts.md).
1. Configure [required assertions](#assertions) if using [Group Managed Accounts](group_managed_accounts.md), or expecting new user accounts to be created.
1. While the default is enabled for most SAML providers, please ensure the app is set to have [Service Provider](#glossary) initiated calls in order to link existing GitLab accounts.
1. Once the identity provider is set up, move on to [configuring GitLab](#configuring-gitlab).
...
...
@@ -53,6 +53,19 @@ Once users have signed into GitLab using the SSO SAML setup, changing the `NameI
We recommend setting the NameID format to `Persistent` unless using a field (such as email) that requires a different format.
### Assertions
For users to be created with the right information with the improved [user access and management](#user-access-and-management),
the following user details need to be passed to GitLab as SAML assertions.
| Field | Supported keys |
|-----------------|----------------|
| Email (required)| `email`, `mail` |
| Username | `username`, `nickname` |
| Full Name | `name` |
| First Name | `first_name`, `firstname`, `firstName` |
| Last Name | `last_name`, `lastname`, `lastName` |
### Metadata configuration
GitLab provides metadata XML that can be used to configure your Identity Provider.
=_("During this process, you’ll be asked for URLs from GitLab’s side. Use the URLs shown below.")
%li
=(_("Set up assertions/attributes/claims (email, first_name, last_name) and NameID according to %{docsLinkStart}the documentation %{icon}%{docsLinkEnd}")%{icon: sprite_icon('external-link'),docsLinkStart: "<a href='#{help_page_path('user/group/saml_sso/group_managed_accounts',anchor: 'assertions')}' target='_blank'>",docsLinkEnd: '</a>'}).html_safe
=(_("Set up assertions/attributes/claims (email, first_name, last_name) and NameID according to %{docsLinkStart}the documentation %{icon}%{docsLinkEnd}")%{icon: sprite_icon('external-link'),docsLinkStart: "<a href='#{help_page_path('user/group/saml_sso/index.md',anchor: 'assertions')}' target='_blank'>",docsLinkEnd: '</a>'}).html_safe
%li
=html_escape(_("Fill in the fields below, turn on %{strong_open}Enable SAML authentication for this group%{strong_close}, and press %{strong_open}Save changes%{strong_close}"))%{strong_open: '<strong>'.html_safe,strong_close: '</strong>'.html_safe}
