GitLab authentication and authorization

GitLab integrates with a number of OmniAuth providers, and the following external authentication and authorization providers:

note
UltraAuth has removed their software which supports OmniAuth integration. We have therefore removed all references to UltraAuth integration.

SaaS vs self-managed comparison

The external authentication and authorization providers may support the following capabilities. For more information, see the links shown on this page for each external provider.

CapabilitySaaSSelf-managed
User ProvisioningSCIM
SAML 1
LDAP 1
SAML 1
OmniAuth Providers 1
SCIM
User Detail Updating (not group management)Not AvailableLDAP Sync
AuthenticationSAML at top-level group (1 provider)LDAP (multiple providers)
Generic OAuth 2.0
SAML (only 1 permitted per unique provider)
Kerberos
JWT
Smartcard
OmniAuth Providers (only 1 permitted per unique provider)
Provider-to-GitLab Role SyncSAML Group SyncLDAP Group Sync
SAML Group Sync (GitLab 15.1 and later)
User RemovalSCIM (remove user from top-level group)LDAP (remove user from groups and block from the instance)
SCIM
  1. Using Just-In-Time (JIT) provisioning, user accounts are created when the user first signs in.

Test OIDC/OAuth in GitLab

See Test OIDC/OAuth in GitLab to learn how to test OIDC/OAuth authentication in your GitLab instance using your client application.