►
From YouTube: GitLab SSO with SAML and LDAP
Description
GitLab's Samer Akkoub explains how to implement SSO into your GitLab instance with SAML and LDAP
A
Hello,
everyone
and
thank
you
for
joining
me
on
this
session
today.
My
name
is
samarku
I'm,
a
senior
alliances
and
channel
Solutions
architecture
in
this
recording
I'll,
try
to
explain
and
simplify
gitlabsing
aside
on
ldap
and
Omni
of
integration,
but
before
I
do
that,
let's
review
together
the
GitHub
authentication
and
authorization
documentation,
as
you
can
see,
gitlab
integrates
with
a
number
of
omni
auth
providers
and
some
external
authentication
and
authorization
providers
such
as
build
up
Google,
secure,
Elder,
Samuel,
4dclub.com
and
smart
card.
A
But
the
thing
I
want
to
focus
on
this
page.
Is
this
table
actually,
which
explains
the
difference
between
SAS
and
self-managed
gitlab
when
it
comes
to
a
user's
provisioning
users,
profile,
update
users,
authentication
and,
of
course,
the
behavior
upon
user
removal,
for
example,
user
provisioning
in
the
SAS
is
available
only
through
the
scim
and
7..
A
Meanwhile,
in
the
gitlabegi
club
self-managed,
it's
available
on
the
Elder
Samuel
omniotic
providers
and
Sim
and
the
SAS
user
provisioning
means
the
user
is
added
to
the
group,
but
not
a
new
user
added
to
the
actual
github.com
instance.
In
the
self-managed
user,
provisioning
means
the
a
new
user
will
be
added
into
the
giggler
instance.
A
Updating
user
detail.
It's
not
available
in
the
hitlab.com,
while
I
can
do
that
through
ldap
synchronization
in
the
self-managed
git
lab
and
I
will
show
you
that
in
a
second
for
the
authentication
and
the
github.com
Samuel
can
be
configured
on
the
top
level
group.
So
if
I
have
a
group
hierarchy
with
multiple
groups
and
direct
only
at
the
very
top
level
group
I
can
configure
saml
integration
for
Authentication
so
that
a
user
will
look
into
the
gitlab.com
normally.
A
From
the
gitlab.com
instance
on
the
other
side
for
the
self-managed
user,
removal
means
a
user
will
be
removed
from
the
group
and
will
be
flagged
as
a
block
user
from
the
instance
and
also
that's
available
through
Sim.
So
it
is
very
important
to
review
this
table
when
it
comes
to
designing
the
CSO
and
users,
provisioning
and
authentication
for
your
instance,
depending
on
which
consumption
model
you
have
for
gitlab,
the
SAS
or
the
self-managed,
and
what
features
you
want
to
apply.
A
It
really
directs
you
to
to
the
documentation
and
where
to
configure
these
functions
because
it
really
differs
excellent.
This
is
good
for
here,
as
I
said
before.
This
session
is
for
the
ldab
and
server
authentication.
So,
let's
dive
into
some
of
the
key
points
when
it
comes
to
the
ldap
integration
again,
what
I'm
trying
to
do
here
is
to
summarize
the
key
or
let's
say
the
most
frequently
asked
questions
or
points
or
things
that
usually
we
think
about
when
it
comes
to
ldav
integration.
First
integration
supports
any
ldap
compliant
directory.
A
Basically,
almost
any
Elder
service
available
today
would
be
able
to
integrate
with
gitlab
any
LDA
compliant
interactive.
Of
course,
Microsoft
active
directory,
Apple,
open,
open,
ldap
and
389
cool
can
I
configure
multiple
entire
directors
for
the
gitlab
instance.
Absolutely
all
what
I'm
describing
here
is
for
gitlab
self-match
just
make
it
very
clear.
A
Users
can
authenticate
with
Git
using
their
gitler
username
or
their
email,
and
in
the
password
this
is
extremely
important.
Does
it
mean
that
I
have
in-depth
integration
in
the
background
between
gitlab
and
ldap
server?
Actually,
I
think
it
is
hybrid.
Here
doesn't
mean
that
I
have
this
integration,
that
the
user
will
not
be
able
if
he
already
has
a
username
and
password
already
registered
in
the
gitlab
server
that
they
will
not
be
able
to
log
in,
they
would
still
be
able
to
login.
A
A
Support
the
synchronization
between
the
ldap
server
and
the
gitlab
server
will
happen
once
a
day.
That's
the
default!
Behavior
and
I
like
to
be
precise.
It
will
happen
at
1
30
a.m,
based
on
the
server
timing,
of
course,
to
do
this
synchronization
and
in
this
synchronization.
If
the
user
is
like
based
on
the
email
address,
matching
the
user
is
doesn't
exist,
has
been
removed
from
the
ldap
has
been
placed
under
the
blocked
or
moved
out
of
the
base
domain
in
the
ldap.
A
He
will
be
flagged
as
a
block
user
and
in
gitlab
now
can
we
change
this
schedule?
Can
we
make
it
based
on
a
different
or
multiple
times
a
day?
Absolutely,
yes,
you
can
change,
but
so
that's
the
default
Behavior
as
I
said
before.
If
the
user
is
blocked,
actually,
if
he
is
blocked,
if
he
is
outside
of
the
search
or
even
if
the
whole
group
is
removed
from
ldap,
the
user
will
be
placed
under
the
blocked
users
now,
okay,
this
is
a
good
time
to
consider.
A
What
do
we
mean
by
inactive
users
in
Elden
removed
from
the
Elder
outside
the
base?
Dn
remember
when
you
integrate
gitlab
with
ldap
server,
you
have
to
map
it
with
a
group
name
and
inside
your
Elder
you
it's
your
choice,
whether
to
go
to
the
top
level
group
and
get
in
the
ldap
hierarchy.
But
that
means
all
the
users
in
url
that
will
be
able
to
login
to
gitlab,
which
counts
against
users,
or
you
may
decide
to
go.
A
So
if
it
is
outside
that
dno
user
search
printer
if
he
is
removed
from
ldap
or
if
he
is
marked
as
a
disabled
or
deactivated
user
in
the
in
that
directory,
especially
when
the
Elder
is
already
integrated
with
any
HR
System.
In
the
background,
which
will
in
update
the
user
status
in
the
ldap,
that
means
that
immediately
that
user,
not
immediately
once
the
user
is
saying
that
user
profile
will
be
deactivated
and
blocked
in
the
gitlab
server
cool
I
think
I've
covered
already
that
user
search
filter
using
the
DN
name.
A
Now,
the
next
thing,
when
the
status
of
that
user,
Check
Yes,
the
synchronization
happens
once
a
day
and
you
can
configure
that.
But
what
about
the
status
check
for
the
user?
First,
whenever
the
user
signs
it
starting
from
gitler
14.4?
That's
if
he
signs
in
with
any
authentication
provider
the
status
will
be
checked.
Is
this
an
active
user?
Is
he
still
active
user
or
not?
Second,
once
per
hour
for
web
sessions,
so
a
user
is
working,
the
web
session
is
open
once
per
hour.
The
status
check
will
happen.
A
Third,
whenever
the
user
is
doing
get
over
HTTP
request
simply
get
Paul
or
claw
for
the
repo
over
HTTP
that
will
trigger
the
synchronization
or
once
per
day,
based
on
what
we
mentioned
before
on
the
synchronization
between
ldap
and
the
gitlab
server
group
thinking,
okay.
So
this
is
very
important
not
only
about
users
checking
and
user
status.
We
can
map
groups
from
your
ldap
directory
to
groups
into
your
gitlab
search.
So
whenever
a
user
is
added
to
that
group
is
automatically
given
access
to
gitlab
server.
A
Again,
a
group
is
the
top
level
where
I
have
multiple
projects
grouped
under
the
that
group,
so
basically
users
added
to
that
group
or
synchronous
to
that.
The
group
will
have
access
projects
under
that
group
based
on
the
assigned
role.
Of
course,
okay
lwi
can
be
disabled,
especially
when
sample
authentication
is
enabled
I'll
cover
that
more
later,
but
quickly
here.
A
Basically,
if
I
have
a
different
authentication
process
for
my
users,
simply
I'm
using
an
external
authentication
with
multi-factor
authentication,
maybe
enabled
I
don't
want
my
users
to
still
be
able
to
locate
through
my
Elder,
because
basically
they
are
bypassing
that
external
authentication.
So
what
I
can
do
is
enable
the
ldap
of
synchronization
in
the
background,
but
also
disable
the
UI
login
for
users
to
looking
through
that
that
in
the
server
okay,
the
last
Point
here
is
very
important.
A
So
when
we
have
in-depth
synchronization
between
gitlab
and
ldap
similar
to
this
here,
this
in-depth
synchronization
will
not
create
a
new
user
by
default
into
a
gitlab.
Now,
when
that
user
will
be
created,
the
user
will
be
created
only
if
this
user
logs
into
gitlab
through
the
that
in
the
authentication
and
then
he
will
be
redirected
to
the
authentication
through
the
ldap
and
the
account
will
be
equating.
Actually,
let
me
show
you,
as
we
already
covered
most
of
the
LW
integration.
A
Let
me
show
you:
how
do
I
do
the
ldap
configuration
so
if
I
open
my
gitlab.rb
file,
this
is
a
section
where
you
do
Elder
configuration.
Basically,
what
we
say
is
GitHub
and
true
and
then
I'm
providing
the
gitlab
server
details.
Actually,
I
am
using
this
sample
online
gitlab
ldap
server,
which
is
this
one
here.
A
Basically,
this
is
a
sample
in
the
This
Server.
These
are
the
connection
details.
This
is
the
port,
the
C
and
everything.
So
all
what
I
had
to
do
is
copy
that
and
put
it
into
my
ldap
configuration
in
the
gitlab.rb,
of
course,
that
in-depth
Server
doesn't
support
TLS,
so
I
had
to
use
plane
and
basically
that's
it
once
you
have
that
you
just
reconfigure
the
instance
and
that's
it.
You
have
an
instance
configure
so
because
I
have
the
ldap
integration.
I
have
two
tabs
now
the
standard
one
as
you
would
expect.
A
This
is
where
normal
users
registered
in
registered
in
gitlab
will
login,
and
then
you
have
the
Elder
tab,
one
where
users
coming
from
the
ldap
well
login.
Now,
despite
I,
have
this
synchronization
still.
Users
are
not
created
inside
my
gitlab
server
and
to
prove
that
if
I
look
in
through
as
a
root
as
an
admin,
if
I
go
under
my
ad
main
area,
so
I
go
under
users,
and
then
these
are
all
the
users.
A
Here
we
have
our
friend
Albert
Einstein,
so
from
all
of
these
users,
only
this
one
which
I
used
before
for
this
thing
is
looked
in.
So
let's
take
this
one,
this
user,
or
maybe
what
you
like.
Maybe
anything
Newton,
is
good.
Let's
take
this
one.
The
new
thing
here
is
not
added
to
prove
that
prove
that,
let's
log
out
now-
and
these
are
our
login
into
my
ldap-
using
Newton
Logan
small
reference-
so
what's
happening
here-
yeah
as
depth-
synchronization
is
processed
now
I
checked
with
my
with
my
Elder
profile.
A
The
user
is
authenticated
and
I've
provided
the
right,
username
and
password.
All
I
have
to
do
is
just
to
check,
select
this
one-time
questions
and
that's
it
so
now,
I
have
my
muted
user
added
in
my
actually,
when
the
user
is
added,
the
user
attributes
are
extracted
from
the
response
from
the
ldap
assertion
right.
So
if
I
go
here,
I
have
my
profile
as
Newton
and
I
have
the
full
name.
A
Maybe
one
thing
not
true:
if
I
covered
yep
here
we
go,
are
the
attributes
review
to
create
the
user
in
the
ldap
server
as
what
we
have
just
seen
so
username
email
name,
first
name
and
last
name,
so
these
attributes
have
to
be
passed
back
from
the
Elder
integration
back
to
gitlab
when
the
authentication
happens,
Apple
signing
in
as
a
user.
The
check
will
happen
so
now,
if
I
log
in
again
as
if
a
Newton,
the
check
will
still
happen
right
and
it
will
cheat
for
my
details
and
it
should.
A
It
will
check
that
my
account
is
or
resigning
Newton
account
is
still
active
in
this
sign.
Now
this
a
very
important
feature
in
GitHub
I
can
map
certain
groups
key
groups
in
gitlab
to
groups
back
in
the
ldap7.
So
in
my
case
here
in
with
the
Elder,
and
please
remember
that
because
letter
in
seven
we
have
different
groups
and
in
that
we
have
two
groups,
the
admin
and
external
users.
So
what
I'm
doing
here,
if
I
click
on
this
one,
take
me
to
the
documentation.
A
So
what
I'm
doing
here
is
basically
I
am
telling
the
gitlab
server,
which
group
in
my
ldap,
if
the
user
belongs
to
that
group,
then
please
consider
him
part
of
the
admin
group
in
gitlab
pair.
So
instead
of
manually,
adding
Agnes,
you
may
have
an
admin
group
in
your
LDA,
where
your
all
of
your
admin
users
are
defined,
maybe
operation
admins
or
platform
admins.
So
basically,
what
you
can
do
here
is
this
is
fixed.
Admin
group
here
is
fixed.
What
you
have
to
do
is
map
it
to
the
group
and
gitlab.
Where
do
you
do?
A
Where
do
you
put
this
simply
in
the
same
configuration
where
we
had
so
this
one
inside
my
gitlab.rb
file?
It's
a
gitlab
gitlab.rb
file,
excellent!
Remember
when
you
configure
admin
group,
you
have
to
configure
the
best
group
for
your
admin
group.
Okay,
the
other
scenario
is
when
you
have
a
group
for
external
users.
This
is
very
helpful,
especially
when
you
have
contractors.
Basically
in
gitlab
we
have
something
called
external
users
group
or
users
within
this
group
are
considered
XML.
What
does
that
mean?
By
default?
A
The
users
in
that
external
users
group
have
the
external
users
roles,
and
these
are
the
roles
that
these
users
can
do.
They
cannot
create
project
group
and
Snippets,
and
their
personal
namespaces
can
only
create
projects
subgroup
Snippets
within
the
top
level
groups
which
they
were
they
are
explicitly
graded.
Imagine
you
have
a
contractor.
You
want
him
to
help
you
doing
something.
You
don't
want
that
contractor
to
create
a
separate
project
or
group
inside
your
gitlab
instance.
A
You
will
you
would
make
him
part
of
the
external
group
in
in
gitlab,
so
that
only
to
the
projects
you
assign
him
to,
you
explicitly
add
him
to.
He
will
be
able
or
groups
he
will
be
able
to
function,
can
only
access
public
projects
or
projects.
They
are
explicitly
granted
access
again
within
your
organization,
you
may
have
some
public
projects
you
are
sharing
with
the
community
and
the
rest
are
internal
projects
where
each
team
is
responsible
for
his
own
project.
A
So
basically
these
contractors
either
they
will
have
access
either
to
these
public
projects
or
to
the
projects
they
have
been
added
inside
your
organization.
They
won't
be
able
to
see
all
the
different
internal
projects
can
only
access
public
Snippets
can
only
access,
but
can
only
access
public
groups,
and
you
would
imagine
the
explicitly
granted
taxes.
So
this
is
very
important
and
easy
to
configure
again.
Just
to
summarize
can
I
have
multiple
in-depth
servers.
A
Yes,
where
do
I
define
ldap
configuration
in
my
gitlab.rb
file
under
the
rails
rails
configuration
how
the
synchronization
between
users
and
groups
happening.
It
happens
once
a
day
by
default,
and
you
can
change
that
schedule.
Is
it
only
synchronizing
users
or
synchronizing
users
and
group?
It
is
synchronizing.
Both
users
status
between
the
Elder
and
gitlab
users?
Is
the
user
still
active
or
not
existed
within
my
elder
group,
or
not
you
per
user
status?
Second
group
status
or
group
group
membership.
A
That's
only
available
in
the
declare
premium
sub
function
from
that
is
the
explicit
mapping
between
external
and
admin
users.
Whenever
a
user
is
added
to
a
certain
admin
users
in
a
group
in
your
ldap,
that
group
can
be
mapped
into
an
admin
group
into
gitlab
and
same
for
external
users,
which,
as
I
said
before,
is
very
useful
when
it
comes
to
external
contractors,
basically
or
maybe
other
use
cases,
okay,
excellent.
A
So
now,
let's
move
into
the
salmon
actually
Samuel
and
Omni
author
integration
are
almost
the
same
exact
steps
and
for
my
use
case
here,
just
as
an
example,
I
am
using
the
out
of
all
the
whole
list
here:
I'm
using
the
off
integration,
but
again
each
of
these
Omni
of
providers.
We
have
fully
documented
steps
on
how
to
do
that
configuration
but
for
my
odd
zero
I'm
using
it
for
both
Samuel
and
Omni,
authindication
and
I
will
switch
between
the
two
to
show
you
the
difference.
A
Excel
start
with
this
is
my
account
or
what
I
had
to
do
is
look
at
them
going
through
applications
and
then
applications
here
and
I've
created
an
application
for
my
gitlab.
You
just
create
an
application,
and
here
we
go.
This
is
all
the
information
you
will
need
to
do
the
configuration.
The
only
thing
you
will
need
to
fill
is
this
callback
URL.
A
In
my
case
here,
I
have
I
believe
in
this
example.
Let's
go
into
only
all
but
yep.
Here
we
go
and
I'll
just
bring
it
up.
Okay,
so
this
is
how
to
configure
omnios
here
or
Samuel.
If
you
want
so
basically
the
main
thing
is:
you
have
to
configure
the
provider
under
here
and
then
in
my
case,
I
have
omniot
provider
of
zero
and
then
the
client
ID
the
secret,
the
domain
scope.
All
the
this.
All
information
is
already
provided
by
the
provider.
The
client
ID
the
secret
all
that
right.
A
A
So
if
I
have
this
one,
this
Auto
sign
in
enabled
I
will
not
be
sure
the
login
page
I
will
be
once
I
go
to
the
home
page
or
login
page
for
gitlab
I
will
be
immediately
redirected
to
the
only
okay.
This
is
very
important.
Block.
Auto,
create
users
and
I.
Have
it
here
as
true
okay,
so
before
I
change
it
to
force,
what
does
it
mean?
Basically,
when
a
user
tries
to
login
here,
for
example,
when
I
login
through
my
seven
once
I
click
on
to
this
sample
here,
it
will
redirect
me
okay.
A
So
this
is
using
the
Omni
of
the
labor.
The
label,
as
you
can
see
here,
it
is
using
from
my
previous
configuration,
the
7..
So
what
we'll
do
is
I'll
change.
This
Auto
create
user
to
false
and
we
will
do
reconfalls.
So
basically,
I
am
saying
that
gitlab.
What's
the
the
user,
sample
is
returned
from
the
assembly
provider
if
that
user
and
the
match
here
is
happening
using
the
email.
A
So
if
I
do
here
this
one
and
and
do
reconfigure
so
while
it
is
reconfiguring,
let
me
continue
here
so
this
is
the
assignment
configuration.
What
I've
just
showed.
You
now
remember
in
ldap,
where
we
said
that
an
l-dad
group
can
be
mapped
to
a
user
group
in
in
gitlab,
okay,
excellent
in
in
saml.
That
goes
to
four
different
groups,
not
only
two,
so
not
only
external
and
admin,
I
have
also
required
an
audited,
so
basically
What's
Happening
Here
is
I,
am
for
example,
if
I
click
on
this
one,
if
I
go
under
yep
required.
A
So
I
am
telling
gitlab
that
when
a
user
is
returned
from
the
saml,
please
make
sure
that
under
the
groups
field,
okay,
the
the
user,
has
one
of
these
different
groups
listed
basically
I'm
saying
that
only
users
from
these
groups
and
the
attribute
in
the
assertion
from
the
saml
provider
are
allowed
to
log
it
into
to
gitla
okay.
So
this
configuration
has
two
parts.
First,
the
group
attribute
so
here
I'm
I'm
telling
gitlab
in
which
attribute,
in
the
same
assertion,
to
look
for
the
value
of
the
group.
A
Okay,
second,
in
that
attribute
value,
the
value
should
be
one
of
these
different
groups
in
order
for
that
user
to
be
allowed
to
log
into
my
gitlab
server.
I
hope
it's
clear.
So
two
things
here.
First,
this
once
the
user
is
authenticated
with
the
saml
provider
assemble
assertion,
a
message
will
be
sent
back
to
gitlab
in
that
message.
A
If
I
want
to
use
the
gitlab
required
group
option
in
that
message
there
should
be
a
field,
and
in
our
case
here
we
decided
to
name
it
groups
and
that's
why
we
are
telling
gitlab
to
look
into
that
field.
Then
that
field
called
groups
and
attributes
and
that
attribute
value
should
have
one
of
these
different
values
right,
my
friends
to
show
you
what
do
I
mean
by
attribute
if
I
go
into
this
one
here
of
zero
I
can
actually
click
on
debug
and
show
you.
A
This
is
an
assembled
message,
so
this
is
what
I
mean
by
an
attribute,
and
the
attribute
has
a
name
and
the
value
in
my
case
here.
This
is
the
attribute
name,
and
this
is
the
attribute
value.
So
if
I
have
required,
groups
enabled
there
should
be
an
attribute
here
named
something,
let's
say
groups
under
condition
that
this
is
the
same
value
you
will
configure
in
gitlab
in
the
groups,
and
the
value
should
be
one
of
the
different
groups.
Here
can
be
anything
right
for
the
under
the
group
certificate
in
the
saml
reply.
A
If
the
user
has,
if
the
value
is
admins,
then
that
user,
that
authenticated
user
should
be
considered
part
of
or
should
be
added
to,
the
admins
group
I
hope
that's
good
and
the
LDA.
We
only
have
two
options:
external
and
admin
in
December,
I
have
external
and
admin
plus
auditor
and
required
groups.
Okay,
I
believe
my
yep,
my
gitlab
has
been
reconfigured,
so
I
can
now
refresh
this
one,
and
actually
let
me
go
here.
A
Yep
you
see
this
one.
Now
it's
odd
zero,
similar
if
I
go
to
the
configurations
back
to
the
configurations.
This
is
the
same
as
this
level.
By
the
way
the
level
can
be
empty
right.
So
now,
if
I
click
on
this,
one
I
will
be
redirected
to
my
saml
provider.
I
can
come
here
login
with
my
Google
account
here
and
my
Google
password
next
and
now
the
user
will
be
redirected
into
the
gitlab
gitlab
server.
Of
course,
this
is
the
two-factor
authentication
available
through
the
auth.
A
Now.
The
other
points
I
want
to
highlight
here
as
an
administrator
I
can
configure
gitlab
to
automatically
link
Samuel
users
with
existing
gitlab
users
upon
login
as
what
we
have
just
done
now
here
also
users,
individual
users
can
look
into
their
accounts
on
manually,
go
under
preferences
and
go
under
account
and
then
link
it's
already
linked
here,
because
I
just
logged
in
but
a
user.
If
this
is
not
even
linked,
a
user
can
come
here
and
Link
their
account
to
the
configured
saml
provider.
Okay.
So
it's
a
two-way
things.
Other
thing
is
okay:
by
default.
A
This
is
very
important
number
for
there.
By
default,
a
local
part
of
the
email
address
is
used
to
generate
gitlab
username
for
the
desired
or
logged
in
user,
but
the
you,
the
password
okay,
will
be
automatically
generated
by
gitler.
This
is
only
if
I
have,
if
Omni
of
block
or
to
create
user
is
set
to
false,
which
is
what
we
have
done
in
the
configuration
file,
which
is
this
one
or
to
create
users.
A
So,
basically,
what
I'm
saying
here,
a
user
will
log
in
the
user,
sorry,
a
user
will
try
to
login
user
will
be
redirected
to
the
Omni
of
Provider.
The
the
owner
provider
will
check.
The
user
will
provide
the
login
page
for
the
user
to
login
will
authenticate
the
user
will
check
the
user
identity
and
we'll
redirect
back
the
saml
assertion
to
to
the
to
gitlab.
A
Now,
if
there
is
no
user
in
gitlab
with
the
same
email
address
and
the
block
autoj
create
user
is
set
to
false
in
the
gitlab.rb
file,
a
user
will
be
generated
inside
the
gitlab
sample.
The
username
for
the
generated
user
will
be
a
value
in
the
email
address
and
there
will
be
a
generated
password
that
password
will
never
be
provided
to
the
user
directly.
That's
why
users
will
need
to
use
their
token
to
you
to
do
HTTP
or
to
authenticate
and
do
HTTP
HTTP
request.
A
Okay,
okay
I
think
we
have
covered
them
all
yep.
You
can
do
two
things
here:
I've
covered
the
group
membership
and
pour
the
salmon,
but
also
I
want
to
show
you
that
you
can
do
family
group,
synchronization
and
family
group
links.
What's
the
difference
in
the
70
groups,
synchronization
it
synchronizes
summer,
Response
Group
field
with
a
value
and
to
to
gitlab
group
or
gitlab
users,
group
or
gitlab
group,
okay,
so
basically
similar
to
the
group
synchronization.
A
If
you
remember
right,
Samuel
group,
2,
gitlab
group,
simply
so
I'm
in
a
group
to
get
lab
group
with
the
saml
group
link
right.
It
is
linking
a
family
group
to
a
role
inside
that
group
or
sub
groups.
So
basically,
in
this
one
I
think
there
is
yep
in
this
one.
You
see
here.
It
is
not
only
linking
to
a
group
right,
it's
also
linking
to
a
access
role
inside
that
group.
So
this
is
important.
So
we
have
two
things
summary
group
link
and
Samuel
group
synchronization.
A
A
A
A
The
group
attribute
right,
I
am
referring
back
and
I
am
sending
back
that
group
name
to
to
the
to
to
gitlab
that
user,
because
he
is
under
the
developers.
Group
and
Elder
will
be
added
to
the.
If
that's
map
will
be
added
to
the
developers
group
in
gitlab,
which
means
that
wherever
there
is
a
project,
this
group
is
added
with
whatever
role
that
user
will
have
the
same
okay,
then
we
come
to
the
second
one,
which
is
the
group
link.
A
So,
basically,
with
the
group
link,
I
am
linking
right,
a
group
in
in
my
saml
assertion
to
a
group
inside
gitlab
and
I'm
assigning
what
access
living
that
group
will
have
right.
So
basically,
that's
it
for
me
today.
Maybe
the
last
thing
I
want
to
show
you
because
I
promised
as
the
the
saml
integration.
So
if
I
switch
my
let
me
go
out
here
and
go
be
and
I
have
Yep.
This
is
the
saml,
so
I'll
just
okay.
So
this
is
the
same
configuration
file
but
a
different
copy.
A
With
the
this
time
the
saml
configured,
it's
almost
exactly
the
same.
I
have
saml
the
label,
I
have
the
provider
and,
as
you
can
see
here,
I
have
this
one
as
disabled,
because
I
want
users
to
be
automatically
created
and
yeah.
Basically,
that's
it
so
I
hope
this
video
has
been
helpful
to
you
and
thank
you
very
much
for
watching.