►
From YouTube: Manage:: Access - Demo SAML Group Sync
Description
Melissa Ushakov walks through the MVC of SAML Group Sync and talks about the next iterations for this feature.
https://gitlab.com/gitlab-org/gitlab/-/issues/118
A
Hi
y'all,
I'm
melissa,
ushuka
the
pm
for
the
access
team,
and
I
wanted
to
talk
to
you
today
about
a
new
feature
that
we
just
released
called
samuel,
groupsync
and
show
you
how
it
works
and
talk
about
the
next
steps.
As
far
as
iterating
on
this
feature,
so
saml
groupsync
has
been
a
highly
requested
feature,
because
today
we
use
sso
only
for
authentication
and
not
for
authorization.
A
So
a
lot
of
enterprise
customers
have
pretty
complex
setups
in
their
idp,
where
all
users
are
part
of
groups
and
and
groups
really
are
what
define
their
authorization
and
all
their
different
tools
and
gitlab
today
isn't
able
to
read
that
data
and
control
authorization
based
on
it.
A
A
A
So
you
see
here
in
security
once
you
have
sso
enabled
you
get
this
menu
called
saml
group
links.
So
if
I
click
on
it,
you
can
see
that
you
can
specify
a
group
name
in
this
and
I'm
using
azure
as
the
idp
for
my
testing.
A
You
put
this
long
guide
and
you
can
define
what
access
level
people
should
have
that
have
this
group
in
their
sso
assertion.
So
if
I
find
this,
I
make
a
maintainer
as
part
of
setup.
So
this
is
one
part
of
the
setup
right
on
the
gitlab
side
on
the
idp
side.
There's
a
couple
things
that
you
need
to
do.
One
is
in
your
attributes
and
claims
you
have
to
add
a
group
claim
and
for
our
implementation.
A
We
look
for
this
specific
name
so
groups,
and
this
is
just
to
simplify
things
on
our
side
across
providers
right,
but
for
most
providers
it's
pretty
straightforward
to
customize
what
that
name
should
be
so.
I've
added
the
group
claims
so
now
it's
sent
over
in
the
sso
assertion
to
gitlab
and
then
also
you
need
to
have
users
in
groups.
A
So
I
have
this
specific
user
called
dushikov
test
that
is
part
of
the
security
and
the
product
group
and
on
the
gitlab
side,
to
mix
things
simply
for
the
demo.
I
just
did
a
one-to-one
reflection
of
the
groups
in
my
idp
in
my
groups
in
gitlab.
Obviously,
people
can
do
more
complicated
things,
but
I
wanted
to
keep
it
simple.
So,
as
a
reminder,
I
have
a
security
group
and
I've
mapped
it
to
this
name,
which
is
this
one
over
here
right,
so
the
d,
whatever
all
right
so
now,
the
fun
part.
A
A
A
But
if
you
follow
the
sso
link
through
your
idp
and
you
basically
trigger
an
sso
handshake,
you'll
see
that
groups
are
updated.
So,
as
a
reminder,
I
put
a
link,
a
group
link
to
be
maintainer.
If
you
encounter
the
group
security,
so
there
you
go.
This
is
a
big
deal,
because
basically
now
there's
one
single
place
to
manage
group
memberships,
which
is
on
your
idp
and
as
long
as
you've
configured
the
group
links
on
the
gitlab
side.
Now
you
can
ensure
proper
membership
in
the
groups
on
gitlab
according
to
your
permissions.
A
A
A
That
is
pretty
long
for
some
customers,
so
one
is:
can
we
make
that
shorter
on
gitlab.com
without
hurting
the
user
experience,
so
we're
going
to
be
looking
into
how
to
make
that
sso
check,
seamless
and
two
giving
that
timeout
window
option
have
that
be
configured
about
the
group
level?
A
So
if
a
specific
group
has
group
group
links
or
they're
just
very
security
conscious
if
they
want
to
have
their
users,
go
through
a
check
every
few
hours
right,
they
have
the
option
to
do
that,
but
we
leave
kind
of
like
the
default
pretty
long
in
general
for
gitlab.com.