I am wondering if it is a way to automatically assign a role to a user for a specific group in GitLab when using SAML?
We are using Keycloak as our IdP together with the community edition of GitLab. We have been able to configure GitLab so that we can authenticate the user through Keycloak. Although we want to automatically assign the user to GitLab groups and roles, based on roles in Keycloak. Is this possible?
This feature is only available in Enterprise Edition of Gitlab. For community edition you can only specify if the user is external (Freelancer) or not.
Related
We are trying to integrate SSO with OKTA and Jfrog and got succeeded.
We tried group attributes from OKTA to Jfrog and its working, as we setup same group name in both OKTA and Jfrog and how ever we add in OKTA can be logged in to Jfrog.
Reverse process is working, i.e when we delete an user in OKTA or change a specific user from a group in OKTA, permissions are reflecting in Jfrog, but the users are not visible in that specific group?
Can you help me to resolve it?
The JFrog Platform supports SCIM (System for Cross-domain Identity Management) exactly for this purpose.
Please refer to the SCIM documentation in JFrog's wiki for instructions on how to set it up.
When I try to push anything into my Gitlab repo, I'm being asked for a password, the thing is that I don't know if i'´s asking for my account password or a repository password. In either case I don't have a password for them because I was never prompted to create one.
I created my account by linking a Bitbucket account, which in turn is linked to my Gmail account.
Does Gitlab create a password for me automatically, like the username it creates off my email?
If you create your GitLab account by linking a Bitbucket account, which in turn is linked to your Google account, then your GitLab account's password is the same as your Google password.
This is referred to as Single sign-on (SSO):
Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID and password to any of several related, yet independent, software systems.
You could also use Google SSO to create an account on GitLab instead of using Bitbucket SSO. This has several advantages:
It's directly linked to your Google account, just like the Bitbucket account.
Maintains a 1-1 relationship between Google SSO and third-party Git hosting services.
There is one less SSO service you are dependent upon. By using Bitbucket SSO you are reliant on both Google SSO and Bitbucket SSO when signing into GitLab.
In short, it makes more sense to use a single SSO service rather than multiple services. Partially, that's where the name comes from.
Is there a way to make an access token that is only usable for one project? It seems there are only personal access tokens, which gives access to all of my projects.
Yes!
See GitLab 13.3 (August 2020)
Project access tokens
Project level access tokens allow access to a project without the need to provision a new GitLab user.
Project access tokens can be generated by project Maintainers or Owners and be used to authenticate with the GitLab API.
Project access tokens will be authorized as Maintainers.
This new functionality will make programmatic access to GitLab easier, more secure, and less cost prohibitive.
See Documentation and Issue.
See also GitLab 13.5 (October 2020)
Project access tokens for GitLab.com
In GitLab 13.3, we introduced project-level access tokens for self-managed instances, allowing access to a project without the need to provision a new user.
We are now making project-level access tokens available in GitLab.com! Project access tokens can be generated by project Maintainers or Owners and be used to authenticate with the GitLab API and Git. Project access tokens will not increase the licensed seat count and are authorized as Maintainers. This new functionality will make programmatic access to GitLab easier, more secure, and less cost prohibitive.
See Documentation and Epic.
See GitLab 14.1 (July 2021)
Select project access token role
Select project access token role
Users can now specify the level of access that a project token should have on the project level upon creation and can view existing project access token roles.
Prior to this release, project access tokens had the Maintainer role. For some users, this role included elevated permissions that were not required.
To avoid abuse, this feature is available for all users except for free GitLab SaaS accounts. All self-managed users as well as Premium and Gold SaaS customers can now easily select and view the appropriate role for their project access tokens.
See Documentation and Issue.
And don't forget about group access token, that you now can create with API or UI since GitLab 14.7 (Jan. 2022).
Deploy keys allow read-only or read-write (if enabled) access to one or multiple repository. Deploy keys can be used for CI, staging or production servers. You can create a deploy key or add an existing one.
Docs: https://docs.gitlab.com/ee/user/project/deploy_tokens/
I want to implement authentication system in my web application using Gitlab.
That is, users can login to my application using Gitlab's username and password. How can I achieve this?
I believe you are looking to use Gitlab as the authentication provider for your application.
The GitLab as OAuth2 authentication service provider documentation should get you started.
From the documentation:
For example, you can allow users to sign in to your application with their GitLab.com account
I am currently developing a WebApi 2 service which is hosted in Azure. I now need to add Authentication and ideally Authorization to this service. I was expecting to be able to do this with Azure Active Directory but have a number of questions
Will my users have to login via the standard Azure sign in portal?
Will my users be forced to use specific email domains (ie microsoft) when creating an account?
Will I be able to programatically add a user into the directory along with Authorization info (aka rights management)?
Will I programatically be able to modify a users details such as forgotton password etc
Sorry for the general question, but I am stuck trying to find out if I am looking at the right technology to be able to meet these requirements. If not, would really appreciate any suggestions on what to use instead.
Will my users have to login via the standard Azure sign in portal?
Yes, but the branding of the portal can be changed in the basic and premium editions of Azure AD.
Will my users be forced to use specific email domains (ie microsoft) when creating an account?
No, you can register your own domain and associate it with a directory. Or you can sync on-premise accounts to an Azure AD directory and use those email addresses.
Will I be able to programatically add a user into the directory along with Authorization info (aka rights management)?
Yes, using the Graph API you can create and manage users. You can also assign them roles or make them part of a security group.
Will I programatically be able to modify a users details such as forgotton password etc
Yes, using the Graph API.