Use JumpCloud SAML Single Sign On (SSO) to give your users convenient but secure access to all their web applications with a single set of credentials. Integrate your JumpCloud account with GitLab through an Identity Management Connector. After you connect JumpCloud with GitLab, you can provision, and deprovision users in GitLab through your JumpCloud Administrator Portal. Leverage this integration for centralized user lifecycle management and get immediate attribute management of users bound to integrated applications.
Read this article to learn how to configure the GitLab Integration.
Read the SAML Configuration Notes KB before you start configuring the connector.
Prerequisites
- You must have GitLab SaaS. This is functionality is not available with GitLab self-managed.
- You need to have a GitLab Silver account.
- Access to modify the GitLab server per https://docs.gitlab.com/ce/integration/saml.html.
Important Considerations
- If you delete an integrated GitLab application from your Applications list, the application is removed from JumpCloud, but any previously bound users remain active in GitLab. These users will be able log in to GitLab with the password they used prior to enablement of SSO to the GitLab application from your JumpCloud account.
- If you deactivate the Identity Management on your GitLab application, previously bound users remain active in GitLab and able to authenticate using SSO. No further updates will be made to user accounts via the Identity Management integration.
- Newly provisioned users will receive an email invitation from GitLab.
- When you deprovision users, they’re removed from the GitLab user group, but their user account remains.
- Currently, you can’t update users in GitLab with our Identity Management Connector.
- Account takeover isn’t supported for GitLab.
- If a user’s password expires in JumpCloud, their account becomes suspended and they are deactivated in all applications that have Identity Management configured and, are associated to them. Once the user’s password is updated, the account and previously associated applications are reactivated.
Attribute Considerations
- GitLab generates the username attribute from the JumpCloud user email.
Creating a new JumpCloud Application Integration
- Log in to the JumpCloud Admin Portal.
- Go to USER AUTHENTICATION > SSO Applications.
- Click + Add New Application.
- Type the name of the application in the Search field and select it.
- Click Next.
- In the Display Label, type your name for the application. Optionally, you can enter a Description, adjust the User Portal Image and choose to hide or Show in User Portal.
- If this is a Bookmark application, enter its URL in the Bookmark URL field.
- Click Save Application.
- If successful, click:
- Configure Application and go to the next section.
- Close to configure your new connector at a later time.
Configure the SSO Integration
To configure JumpCloud
- Create a new application or select it from the Configured Applications list.
- Select the SSO tab.
- In the IDP Entity ID field, enter https://YOURDOMAIN.TLD. For example, https://thebestwidgets.com.
- In the SP Entity ID field, enter a unique identifier for the Service Provider, typically the URL of the GitLab server such as https://YOUR_GITLAB_SERVER_URL.
- In the ASC URL field, enter https://YOUR_GITLAB_SERVER_URL/users/auth/saml/callback.
The ASC URL needs to match the assertion_consumer_service_url mentioned in Step 2 of the GitLab SAML OmniAuth configuration.
- (Optional) Enter GitLab group membership information. See the section on External Groups in GitLab’s documentation because the Attribute Name and Value need to be configured in the GitLab SAML configuration.
- In the field terminating the IdP URL, either leave the default value or enter a plaintext string unique to this connector.
- Click Activate.
To configure GitLab
Configure SAML SSO for GitLab.com Groups:
- Log in to the GitLab Admin console as an administrator.
- Select a group to enable SAML SSO on.
- Go to Settings > SAML SSO.
- Enter the IdP URL, then the SAML certificate fingerprint.
- Click Enable SAML authentication for this group.
- Click Save changes.
After the IdP and SP are configured for SAML SSO, users need to log in to their GitLab account using their IdP credentials and authorize SAML SSO. Users can complete the process from an IdP initiated authentication request or an SP initiated authentication request.
Configure GitLab as a SAML OmniAuth Provider
Make sure to enable OmniAuth before you configure GitLab as a SAML OmniAuth provider.
- On your GitLab server, open the configuration file: /etc/gitlab/gitlab.rb. For installations from the source, see GitLab’s documentation.
- Update assertion_consumer_service_url with the ACS URL specified in the JumpCloud application.
- Make sure the issuer is the same value as the SP ENTITY ID in the JumpCloud application.
- Make sure the name_identifier_format is: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
- Save the file, then run gitlab-ctl reconfigure to update the GitLab configuration.
Authorizing User SSO Access
Users are implicitly denied access to applications. After you connect an application to JumpCloud, you need to authorize user access to that application. You can authorize user access from the Application Configuration panel or from the Groups Configuration panel.
To authorize user access from the Application Configuration panel
- Log in to the JumpCloud Admin Portal.
- Go to USER AUTHENTICATION > SSO Applications, then select the application to which you want to authorize user access.
- Select the User Groups tab. If you need to create a new group of users, see Get Started: Groups.
- Select the check box next to the group of users you want to give access.
- Click save.
To learn how to authorize user access from the Groups Configuration panel, see Authorize Users to an SSO Application.
Validating SSO authentication workflow(s)
IdP Initiated
- Access the JumpCloud User Console.
- Select the Service Provider icon.
- This should automatically launch and login to the application.
SP Initiated
- Navigate to your Service Provider application URL.
- You will be redirected to log in to the JumpCloud User Portal.
- The browser will be redirected back to the application and be automatically logged in.
Configuring the Identity Management Integration
To configure GitLab
- On the top bar, select Main menu > Groups and find your group.
- On the left sidebar, select Settings > SAML SSO.
- Select Generate a SCIM token.
- For configuration of your identity provider, copy the:
- Token from the Your SCIM token field.
- URL from the SCIM API endpoint URL field.
To configure JumpCloud
- Create a new application or select it from the Configured Applications list.
- Select the Identity Management tab.
- Click Configure.
Attribute Mappings
The following table lists attributes that JumpCloud sends to the application. See Attribute Considerations for more information regarding attribute mapping considerations.
Learn about JumpCloud Properties and how they work with system users in our API.
GitLab User Attributes
JumpCloud Property | JumpCloud UI Attribute Name | GitLab Attribute | JumpCloud Property |
---|---|---|---|
Company Email | |||
username | Username | userName | username |
firstname | First Name | name.givenName | firstname |
lastname | Last Name | name.familyName | lastname |
Group Attributes
JumpCloud Property | JumpCloud UI Field Name | SCIM v2 Mapping | Application Value |
---|---|---|---|
name | Name | displayName | Organization |
Removing the Integration
To deactivate the IdM Integration
- Log in to the JumpCloud Admin Portal.
- Go to USER AUTHENTICATION > SSO Applications.
- Search for the application that you’d like to deactivate and click to open its details panel.
- Under the company name and logo on the left hand panel, click the Deactivate IdM connection link.
- Click confirm.
- If successful, you will receive a confirmation message.
To deactivate the SSO Integration
- Log in to the JumpCloud Admin Portal.
- Go to USER AUTHENTICATION > SSO Applications.
- Search for the application that you’d like to deactivate and click to open its details panel.
- Select the SSO tab.
- Scroll to the bottom of the configuration.
- Click Deactivate SSO.
- Click save.
- If successful, you will receive a confirmation message.
To delete the application
- Log in to the JumpCloud Admin Portal.
- Go to USER AUTHENTICATION > SSO Applications.
- Search for the application that you’d like to delete and click to open its details panel.
- Check the box for the application.
- Click Delete.
- Enter the number of the applications you are deleting
- Click Delete Application.
- If successful, you will see an application deletion confirmation notification.