2019-06-10 20:11:11 -04:00
---
type: howto, reference
---
2019-07-08 04:50:38 -04:00
# SCIM provisioning using SAML SSO for Groups **(SILVER ONLY)**
2019-05-05 08:21:46 -04:00
> [Introduced](https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/9388) in [GitLab.com Silver](https://about.gitlab.com/pricing/) 11.10.
2019-06-10 20:11:11 -04:00
System for Cross-domain Identity Management (SCIM), is an open standard that enables the
automation of user provisioning. When SCIM is provisioned for a GitLab group, membership of
that group is synchronized between GitLab and the identity provider.
2019-05-31 07:26:18 -04:00
GitLab's [SCIM API ](../../../api/scim.md ) implements part of [the RFC7644 protocol ](https://tools.ietf.org/html/rfc7644 ).
2019-05-05 08:21:46 -04:00
Currently, the following actions are available:
- CREATE
- UPDATE
- DELETE (deprovisioning)
The following identity providers are supported:
- Azure
## Requirements
2019-06-25 00:34:55 -04:00
- [Group SSO ](index.md ) needs to be configured.
2019-05-05 08:21:46 -04:00
- The `scim_group` feature flag must be enabled:
2019-07-14 23:02:30 -04:00
Run the following commands in a Rails console:
2019-06-25 00:34:55 -04:00
2019-07-14 23:02:30 -04:00
```sh
# Omnibus GitLab
gitlab-rails console
2019-06-25 00:34:55 -04:00
2019-07-14 23:02:30 -04:00
# Installation from source
cd /home/git/gitlab
sudo -u git -H bin/rails console RAILS_ENV=production
```
2019-06-25 00:34:55 -04:00
2019-07-14 23:02:30 -04:00
To enable SCIM for a group named `group_name` :
2019-06-25 00:34:55 -04:00
2019-07-14 23:02:30 -04:00
```ruby
group = Group.find_by_full_path('group_name')
Feature.enable(:group_scim, group)
```
2019-06-25 00:34:55 -04:00
2019-07-25 00:14:23 -04:00
## GitLab configuration
2019-05-05 08:21:46 -04:00
Once [Single sign-on ](index.md ) has been configured, we can:
1. Navigate to the group and click **Settings > SAML SSO** .
1. Click on the **Generate a SCIM token** button.
1. Save the token and URL so they can be used in the next step.
2019-06-25 00:34:55 -04:00
![SCIM token configuration ](img/scim_token.png )
2019-05-05 08:21:46 -04:00
2019-07-25 00:14:23 -04:00
## Identity Provider configuration
2019-05-05 08:21:46 -04:00
2019-07-25 00:14:23 -04:00
### Azure
2019-05-05 08:21:46 -04:00
2019-07-25 00:14:23 -04:00
First, double check the [Single sign-on ](index.md ) configuration for your group and ensure that **Name identifier value** (NameID) points to `user.objectid` or another unique identifier. This will match the `extern_uid` used on GitLab.
2019-05-05 08:21:46 -04:00
2019-07-25 00:14:23 -04:00
![Name identifier value mapping ](img/scim_name_identifier_mapping.png )
2019-05-05 08:21:46 -04:00
2019-07-25 00:14:23 -04:00
#### Set up admin credentials
Next, configure your GitLab application in Azure by following the
[Provisioning users and groups to applications that support SCIM ](https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/use-scim-to-provision-users-and-groups#provisioning-users-and-groups-to-applications-that-support-scim )
section in Azure's SCIM setup documentation.
During this configuration, note the following:
2019-05-05 08:21:46 -04:00
- The `Tenant URL` and `secret token` are the ones retrieved in the
2019-06-25 00:34:55 -04:00
[previous step ](#gitlab-configuration ).
2019-05-05 08:21:46 -04:00
- Should there be any problems with the availability of GitLab or similar
2019-06-25 00:34:55 -04:00
errors, the notification email set will get those.
2019-07-25 00:14:23 -04:00
- It is recommended to set a notification email and check the **Send an email notification when a failure occurs** checkbox.
2019-05-05 08:21:46 -04:00
- For mappings, we will only leave `Synchronize Azure Active Directory Users to AppName` enabled.
2019-07-29 19:51:47 -04:00
You can then test the connection by clicking on **Test Connection** . If the connection is successful, be sure to save your configuration before moving on. See below for [troubleshooting ](#troubleshooting ).
2019-05-05 08:21:46 -04:00
2019-07-25 00:14:23 -04:00
#### Configure attribute mapping
2019-05-05 08:21:46 -04:00
2019-07-25 00:14:23 -04:00
1. Click on `Synchronize Azure Active Directory Users to AppName` , to configure the attribute mapping.
1. Click **Delete** next to the `mail` mapping.
1. Map `userPrincipalName` to `emails[type eq "work"].value` and change it's **Matching precedence** to `2` .
1. Map `mailNickname` to `userName` .
1. Create a new mapping by clicking **Add New Mapping** then set **Source attribute** to `objectId` , **Target attribute** to `id` , **Match objects using this attribute** to `Yes` , and **Matching precedence** to `1` .
1. Create a new mapping by clicking **Add New Mapping** then set **Source attribute** to `objectId` , and **Target attribute** to `externalId` .
1. Click the `userPrincipalName` mapping and change **Match objects using this attribute** to `No` .
2019-05-05 08:21:46 -04:00
2019-08-12 05:54:30 -04:00
Save your changes and you should have the following configuration:
2019-06-25 00:34:55 -04:00
2019-07-14 23:02:30 -04:00
![Azure's attribute mapping configuration ](img/scim_attribute_mapping.png )
2019-05-05 08:21:46 -04:00
2019-08-12 05:54:30 -04:00
NOTE: **Note:** If you used a unique identifier **other than** `objectId` , be sure to map it instead to both `id` and `externalId` .
2019-07-25 00:14:23 -04:00
1. Below the mapping list click on **Show advanced options > Edit attribute list for AppName** .
2019-05-05 08:21:46 -04:00
1. Leave the `id` as the primary and only required field.
2019-07-14 23:02:30 -04:00
NOTE: **Note:**
`username` should neither be primary nor required as we don't support
that field on GitLab SCIM yet.
2019-06-25 00:34:55 -04:00
2019-07-14 23:02:30 -04:00
![Azure's attribute advanced configuration ](img/scim_advanced.png )
2019-05-05 08:21:46 -04:00
1. Save all the screens and, in the **Provisioning** step, set
2019-07-25 00:14:23 -04:00
the `Provisioning Status` to `On` .
2019-08-12 05:54:30 -04:00
![Provisioning status toggle switch ](img/scim_provisioning_status.png )
2019-05-05 08:21:46 -04:00
2019-07-14 23:02:30 -04:00
NOTE: **Note:**
You can control what is actually synced by selecting the `Scope` . For example,
`Sync only assigned users and groups` will only sync the users assigned to
2019-07-25 00:14:23 -04:00
the application (`Users and groups`), otherwise, it will sync the whole Active Directory.
2019-05-05 08:21:46 -04:00
Once enabled, the synchronization details and any errors will appear on the
bottom of the **Provisioning** screen, together with a link to the audit logs.
2019-06-10 20:11:11 -04:00
2019-07-29 19:51:47 -04:00
## Troubleshooting
2019-06-10 20:11:11 -04:00
2019-07-29 19:51:47 -04:00
### Testing Azure connection: invalid credentials
2019-06-10 20:11:11 -04:00
2019-07-29 19:51:47 -04:00
When testing the connection, you may encounter an error: **You appear to have entered invalid credentials. Please confirm you are using the correct information for an administrative account** . If `Tenant URL` and `secret token` are correct, check whether your group path contains characters that may be considered invalid JSON primitives (such as `.` ). Removing such characters from the group path typically resolves the error.
2019-07-30 20:44:36 -04:00
### Azure: (Field) can't be blank sync error
When checking the Audit Logs for the Provisioning, you can sometimes see the
error `Namespace can't be blank, Name can't be blank, and User can't be blank.`
This is likely caused because not all required fields (such as first name and
last name) are present for all users being mapped.
As a workaround, try an alternate mapping:
1. Follow the Azure mapping instructions from above.
1. Delete the `name.formatted` target attribute entry.
1. Change the `displayName` source attribute to have `name.formatted` target attribute.