GitLab authentication and authorization (FREE SELF)
GitLab integrates with a number of OmniAuth providers, and the following external authentication and authorization providers:
- LDAP: Includes Active Directory, Apple Open Directory, Open LDAP, and 389 Server.
- SAML for GitLab.com groups (PREMIUM SAAS)
- Smartcard (PREMIUM SELF)
NOTE: UltraAuth has removed their software which supports OmniAuth integration. We have therefore removed all references to UltraAuth integration.
SaaS vs Self-Managed Comparison
The external authentication and authorization providers may support the following capabilities. For more information, see the links shown on this page for each external provider.
OmniAuth Providers 1
|User Detail Updating (not group management)||Not Available||LDAP Sync|
|Authentication||SAML at top-level group (1 provider)||LDAP (multiple providers)
Generic OAuth 2.0
SAML (only 1 permitted per unique provider)
OmniAuth Providers (only 1 permitted per unique provider)
|Provider-to-GitLab Role Sync||SAML Group Sync||LDAP Group Sync
SAML Group Sync (GitLab 15.1 and later)
|User Removal||SCIM (remove user from top-level group)||LDAP (remove user from groups and block from the instance)
- Using Just-In-Time (JIT) provisioning, user accounts are created when the user first signs in.
Test OIDC/OAuth in GitLab
See Test OIDC/OAuth in GitLab to learn how to test OIDC/OAuth authentication in your GitLab instance using your client application.