GitLab authentication and authorization

GitLab integrates with a number of OmniAuth providers, and the following external authentication and authorization providers:

note
UltraAuth has removed their software which supports OmniAuth integration. We have therefore removed all references to UltraAuth integration.

SaaS vs self-managed comparison

The external authentication and authorization providers may support the following capabilities. For more information, see the links shown on this page for each external provider.

Capability SaaS Self-managed
User Provisioning SCIM
SAML 1
LDAP 1
SAML 1
OmniAuth Providers 1
SCIM
User Detail Updating (not group management) Not Available LDAP Sync
Authentication SAML at top-level group (1 provider) LDAP (multiple providers)
Generic OAuth 2.0
SAML (only 1 permitted per unique provider)
Kerberos
JWT
Smartcard
OmniAuth Providers (only 1 permitted per unique provider)
Provider-to-GitLab Role Sync SAML Group Sync LDAP Group Sync
SAML Group Sync (GitLab 15.1 and later)
User Removal SCIM (remove user from top-level group) LDAP (remove user from groups and block from the instance)
SCIM
  1. Using Just-In-Time (JIT) provisioning, user accounts are created when the user first signs in.

Test OIDC/OAuth in GitLab

See Test OIDC/OAuth in GitLab to learn how to test OIDC/OAuth authentication in your GitLab instance using your client application.