diff options
Diffstat (limited to 'doc/user/group/saml_sso/group_sync.md')
-rw-r--r-- | doc/user/group/saml_sso/group_sync.md | 30 |
1 files changed, 15 insertions, 15 deletions
diff --git a/doc/user/group/saml_sso/group_sync.md b/doc/user/group/saml_sso/group_sync.md index 65c4d68f743..27482893bd6 100644 --- a/doc/user/group/saml_sso/group_sync.md +++ b/doc/user/group/saml_sso/group_sync.md @@ -109,9 +109,9 @@ Users granted: ### Automatic member removal -After a group sync, for GitLab subgroups, users who are not members of a mapped SAML -group are removed from the group. Users in the top-level group are assigned the -[default membership role](index.md#role). +After a group sync, users who are not members of a mapped SAML group are removed from the group. +On GitLab.com, users in the top-level group are assigned the +[default membership role](index.md#role) instead of being removed. For example, in the following diagram: @@ -191,23 +191,23 @@ graph TB GitLabGroupD --> |Member|GitLabUserD ``` -### Use the API +#### User that belongs to many SAML groups automatically removed from GitLab group -> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/290367) in GitLab 15.3. +When using Azure AD as the SAML identity provider, users that belong to many SAML groups can be automatically removed from your GitLab group. Users are removed from GitLab +groups if the group claim is missing from the user's SAML assertion. -You can use the GitLab API to [list, add, and delete](../../../api/groups.md#saml-group-links) SAML group links. +Because of a [known issue with Azure AD](https://support.esri.com/en/technical-article/000022190), if a user belongs to more than 150 SAML groups, the group claim is not sent +in the user's SAML assertion. -## Troubleshooting +With an Azure AD premium subscription, you can allow up to 500 group IDs to be sent in a SAML token using the +[Azure AD documentation configuration steps](https://support.esri.com/en/technical-article/000022190). -This section contains possible solutions for problems you might encounter. +Otherwise, you can work around this issue by changing the [group claims](https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-group-claims#configure-the-azure-ad-application-registration-for-group-attributes) to use the `Groups assigned to the application` option instead. -### User that belongs to many SAML groups automatically removed from GitLab group +![Manage Group Claims](img/Azure-manage-group-claims.png). -When using Azure AD as the SAML identity provider, users that belong to many SAML groups can be automatically removed from your GitLab group. Users are removed from GitLab -groups if the group claim is missing from the user's SAML assertion. +### Use the API -Because of a [known issue with Azure AD](https://support.esri.com/en/technical-article/000022190), if a user belongs to more than 150 SAML groups, the group claim is not sent -in the user's SAML assertion. +> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/290367) in GitLab 15.3. -To work around this issue, allow more than 150 group IDs to be sent in SAML token using configuration steps in the -[Azure AD documentation](https://support.esri.com/en/technical-article/000022190). +You can use the GitLab API to [list, add, and delete](../../../api/groups.md#saml-group-links) SAML group links. |