Introduction and SAML2 question

Hi all,

In the Hogeschool van Amsterdam HBO-ICT education department we’ve been running Gitlab for almost 10 years now. Currently 15789 projects, 1350 groups and 3121 users that come every year and leave with a BSc in 4 years (in the happy scenario).

The main reason to start using the ultimate (self hosted) version was to be able to limit the sizes of the projects so that machine learning students learn to not push the entire dataset into their repo.

The usage of gitlab is growing and since 2 years we have 2 shared docker runners to accomodate the CI/CD chain. And some users love the gitlab pages now we got that working.
And the integration with our MSTeams environment is fun: every commit is a Teams message in a private teachers Teams channel.

The LDAP integration is great too: students who leave the school are automagically “blocked” by a gitlab process that checks LDAP accounts. Once a year these are deleted from the system to keep the number of users small (under 5000). The python gitlab api tools are very helpful with that. So many things happening with gitlab it is hard to keep up.

Our current issue is about authentication: instead of reading passwords we should be using SAML2 ( SURFconext IdP Dashboard ) single sign-on to log in. But can we enable SAML2 and still be able to automatically block expired LDAP users? No hurry, just asking.

Greetings from Amsterdam Univerity of Applied Sciences,
Jan Derriks, CS lecturer and gitlab maintainer.

1 Like

Hello @jderriks - We love to hear your enthusiasm for GitLab! 10 years now, wow that is impressive. I’ve shared this with our team and we’ll see if we can find an answer for you.

Will your team be at https://iticse.acm.org/2022/ this summer by chance?

Hello @jderriks

At University of Liège, we also use GitLab in a same way. Not yet quota on projets, however. What size did you defined ?

For the ability to use SAML SSO and to block expired LDAP users, we had to develop the script ourselves. That’s not a big one.

  • By API, request GitLab to return all active users. (100 max per page)
  • For each one, request LDAP to check if still active.
  • If not, contact GitLab API and block it.
    (We never deleted them, for now)
1 Like

Hi Denis,
We have set the "Size limit per repository (MB) " setting to 2000 (2 GB) to be able to keep many small repo’s. If needed, the admin can change this per repo or group.

We also use the python-gitlab api ( python-gitlab v3.8.1 ) for some scripts to really delete users that are gone. With git.projects.list(all=True) you do not need paging, just some patience.

Blocking users (LDAP sync) is done by gitlab automatically and I would like to keep it that way without extra scripts.