Commit dee88dcb authored by Cynthia Ng's avatar Cynthia Ng Committed by Mike Jang

Remove confusing Azure steps and provide result

parent 9eec48b6
...@@ -50,19 +50,13 @@ Once [Group Single Sign-On](index.md) has been configured, we can: ...@@ -50,19 +50,13 @@ Once [Group Single Sign-On](index.md) has been configured, we can:
The SAML application that was created during [Single sign-on](index.md) setup for [Azure](https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/view-applications-portal) now needs to be set up for SCIM. The SAML application that was created during [Single sign-on](index.md) setup for [Azure](https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/view-applications-portal) now needs to be set up for SCIM.
1. Check the configuration for your GitLab SAML app and ensure that **Name identifier value** (NameID) points to `user.objectid` or another unique identifier. This matches the `extern_uid` used on GitLab.
![Name identifier value mapping](img/scim_name_identifier_mapping.png)
1. Set up automatic provisioning and administrative credentials by following the 1. Set up automatic provisioning and administrative credentials by following the
[Provisioning users and groups to applications that support SCIM](https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups#provisioning-users-and-groups-to-applications-that-support-scim) section in Azure's SCIM setup documentation. [Azure's SCIM setup documentation](https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups#provisioning-users-and-groups-to-applications-that-support-scim).
During this configuration, note the following: During this configuration, note the following:
- The `Tenant URL` and `secret token` are the ones retrieved in the - The `Tenant URL` and `secret token` are the ones retrieved in the
[previous step](#gitlab-configuration). [previous step](#gitlab-configuration).
- Should there be any problems with the availability of GitLab or similar
errors, the notification email set gets those.
- It is recommended to set a notification email and check the **Send an email notification when a failure occurs** checkbox. - It is recommended to set a notification email and check the **Send an email notification when a failure occurs** checkbox.
- For mappings, we will only leave `Synchronize Azure Active Directory Users to AppName` enabled. - For mappings, we will only leave `Synchronize Azure Active Directory Users to AppName` enabled.
...@@ -70,42 +64,30 @@ You can then test the connection by clicking on **Test Connection**. If the conn ...@@ -70,42 +64,30 @@ You can then test the connection by clicking on **Test Connection**. If the conn
#### Configure attribute mapping #### Configure attribute mapping
1. Click on `Synchronize Azure Active Directory Users to AppName` to configure the attribute mapping. Follow [Azure documentation to configure the attribute mapping](https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/customize-application-attributes).
1. Click **Delete** next to the `mail` mapping.
1. Map `userPrincipalName` to `emails[type eq "work"].value` and change its **Matching precedence** to `2`.
1. Map `mailNickname` to `userName`.
1. Determine how GitLab uniquely identifies users.
- Use `objectId` unless users already have SAML linked for your group. The following table below provides an attribute mapping known to work with GitLab. If
- If you already have users with SAML linked then use the `Name ID` value from the [SAML configuration](#azure). Using a different value may cause duplicate users and prevent users from accessing the GitLab group. your SAML configuration differs from [the recommended SAML settings](index.md#azure-setup-notes),
modify the corresponding `customappsso` settings accordingly. If a mapping is not listed in the
table, use the Azure defaults.
1. Create a new mapping: | Azure Active Directory Attribute | customappsso Attribute | Matching precedence |
1. Click **Add New Mapping**. | -------------------------------- | ---------------------- | -------------------- |
1. Set: | `objectId` | `externalId` | 1 |
- **Source attribute** to the unique identifier determined above, typically `objectId`. | `userPrincipalName` | `emails[type eq "work"].value` | |
- **Target attribute** to `externalId`. | `mailNickname` | `userName` | |
- **Match objects using this attribute** to `Yes`.
- **Matching precedence** to `1`.
1. Click the `userPrincipalName` mapping and change **Match objects using this attribute** to `No`. For guidance, you can view [an example configuration in the troubleshooting reference](../../../administration/troubleshooting/group_saml_scim.md#azure-active-directory).
1. Save your changes. For reference, you can view [an example configuration in the troubleshooting reference](../../../administration/troubleshooting/group_saml_scim.md#azure-active-directory).
NOTE:
If you used a unique identifier **other than** `objectId`, be sure to map it to `externalId`.
1. Below the mapping list click on **Show advanced options > Edit attribute list for AppName**. 1. Below the mapping list click on **Show advanced options > Edit attribute list for AppName**.
1. Ensure the `id` is the primary and required field, and `externalId` is also required. 1. Ensure the `id` is the primary and required field, and `externalId` is also required.
NOTE: NOTE:
`username` should neither be primary nor required as we don't support `username` should neither be primary nor required as we don't support
that field on GitLab SCIM yet. that field on GitLab SCIM yet.
1. Save all the screens and, in the **Provisioning** step, set 1. Save all changes.
the `Provisioning Status` to `On`. 1. In the **Provisioning** step, set the `Provisioning Status` to `On`.
![Provisioning status toggle switch](img/scim_provisioning_status.png)
NOTE: NOTE:
You can control what is actually synced by selecting the `Scope`. For example, You can control what is actually synced by selecting the `Scope`. For example,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment