SAML Group Links (Azure AD) - SCIM provisioning

How to Use GitLab Self-managed
1

I sincerely apologize if this is repetitive, but I have Googled the S4!T out of this and I cannot find a resolution.

I have successfully configured SAML and can authenticate, but my SCIM GROUP memberships are simply not cooperating. Below is my Azure AD configuration and my attribute mappings. I’m hoping someone can help with this SCIM error.

Config:
Target Object Actions
Create = True
Update = True
Delete = True

Group Name in Azure AD = GitLab-Owners
SAML Group Name in GitLab = GitLab-Owners (see screenshot attached)

Screenshot 2022-11-14 at 5.32.07 PM
Screenshot 2022-11-14 at 5.32.07 PM1217×120 8.52 KB

Screenshot 2022-11-14 at 5.29.42 PM
Screenshot 2022-11-14 at 5.29.42 PM1346×573 38.5 KB

Attribute Mappings:
displayName = displayName
objectId = externalId

Error from Azure AD:
Match group between source and target system
Failed to match an entry in the source and target systems Group ‘GitLab-Owners’

Error code
SystemForCrossDomainIdentityManagementServerError

Error message
Received response from Web resource.
Resource: https://gitlab.com/users/sign_in
Operation: GET
Response Status Code: ServiceUnavailable
Response Headers: Transfer-Encoding: chunked
Connection: close
X-Frame-Options: SAMEORIGIN
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Referrer-Policy: same-origin
Permissions-Policy: accelerometer=(),autoplay=(),camera=(),clipboard-read=(),clipboard-write=(),fullscreen=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Report-To: {“endpoints”:[{“url”:“https://a.nel.cloudflare.com/report/v3?s=248f7I8CuXy3R%2Be5GwSKxmeuC%2FwcAxE83Ax2w0xS5jbyGHsDsTM9JTlyrIrQfdEEZQsTtunblh%2FKFLziYwGsSoqEPO3y9hSP82%2BpIYN9rg9Bm31SX3mMEW8Jn0I%3D”}],“group”:“cf-nel”,“max_age”:604800}
NEL: {“success_fraction”:0.01,“report_to”:“cf-nel”,“max_age”:604800}
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
CF-RAY: 76a3295b3c2b05c6-IAD
Cache-Control: no-store, must-revalidate, no-cache, max-age=0, private, post-check=0, pre-check=0
Date: Mon, 14 Nov 2022 22:25:10 GMT
Server: cloudflare
Response Content:

2

I’m having the same issue and since I don’t see any replies to your original post which is almost a year old, I guess I won’t hold my breath for a solution.

3

Hi folks! Please note that SAML Group Links are different from SCIM Group Provisioning. At this time, GitLab doesn’t support SCIM Group Provisioning, so enabling it will only result in errors in your SCIM provisioning logs. Instead, you’ll need to manually create groups and set up SAML Group Sync to populate the groups using your Identity Provider.

1 Like
4

We were able to figure this out on our own.

In Azure, we had to turn off the Group provisioning. User provisioning has the following mappings:

objectId = externalId = Matching precedence of “1”
Switch([IsSoftDeleted], , “False”, “True”, “True”, “False”) = active
userPrincipalName = emails[type eq “work”].value
mailNickname = userName

In the SAML SSO settings, Attributes & Claims is as follows:
email = user.mail
firstname = user.givenname
lastname = user.surname
name = user.userprincipalname
Groups = user.groups
Unique User Identifier = user.objectid

Hope this helps. Feel free to reach out directly if you need more assistance.