Configure SCIM for self-managed GitLab instances
Introduced in GitLab 15.8.
You can use the open standard System for Cross-domain Identity Management (SCIM) to automatically:
- Create users.
- Block users.
- Re-add users (reactivate SCIM identity).
The internal GitLab SCIM API implements part of the RFC7644 protocol.
If you are a GitLab.com user, see configuring SCIM for GitLab.com groups.
Configure GitLab
Prerequisites:
- Configure SAML single sign-on.
To configure GitLab SCIM:
- On the left sidebar, select Search or go to.
- Select Admin Area.
- Select Settings > General.
- Expand the SCIM Token section and select Generate a SCIM token.
- For configuration of your identity provider, save the:
- Token from the Your SCIM token field.
- URL from the SCIM API endpoint URL field.
Remove access
Removing or deactivating a user on the identity provider blocks the user on the GitLab instance, while the SCIM identity remains linked to the GitLab user.
To update the user SCIM identity, use the internal GitLab SCIM API.
Reactivate access
-
Introduced in GitLab 16.0 with a flag named
skip_saml_identity_destroy_during_scim_deprovision
. Disabled by default. -
Generally available in GitLab 16.4. Feature flag
skip_saml_identity_destroy_during_scim_deprovision
removed.
After a user is removed or deactivated through SCIM, you can reactivate that user by adding them to the SCIM identity provider.
After the identity provider performs a sync based on its configured schedule, the user’s SCIM identity is reactivated and their GitLab instance access is restored.