summaryrefslogtreecommitdiff
path: root/doc/user/group
diff options
context:
space:
mode:
Diffstat (limited to 'doc/user/group')
-rw-r--r--doc/user/group/saml_sso/img/scim_advanced.pngbin6920 -> 0 bytes
-rw-r--r--doc/user/group/saml_sso/img/scim_attribute_mapping.pngbin34642 -> 0 bytes
-rw-r--r--doc/user/group/saml_sso/index.md4
-rw-r--r--doc/user/group/saml_sso/scim_setup.md22
4 files changed, 10 insertions, 16 deletions
diff --git a/doc/user/group/saml_sso/img/scim_advanced.png b/doc/user/group/saml_sso/img/scim_advanced.png
deleted file mode 100644
index c9e095dc89a..00000000000
--- a/doc/user/group/saml_sso/img/scim_advanced.png
+++ /dev/null
Binary files differ
diff --git a/doc/user/group/saml_sso/img/scim_attribute_mapping.png b/doc/user/group/saml_sso/img/scim_attribute_mapping.png
deleted file mode 100644
index 933d8fb6f36..00000000000
--- a/doc/user/group/saml_sso/img/scim_attribute_mapping.png
+++ /dev/null
Binary files differ
diff --git a/doc/user/group/saml_sso/index.md b/doc/user/group/saml_sso/index.md
index 1243cf7c2f5..7621679c6cc 100644
--- a/doc/user/group/saml_sso/index.md
+++ b/doc/user/group/saml_sso/index.md
@@ -415,7 +415,9 @@ Alternatively, an admin of your Identity Provider can use the [SCIM API](../../.
### Message: "SAML authentication failed: Email has already been taken"
-Same as ["SAML authentication failed: User has already been taken"](#message-saml-authentication-failed-user-has-already-been-taken).
+| Cause | Solution |
+|------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------|
+| When a user account with the email address already exists in GitLab, but the user does not have the SAML identity tied to their account. | The user will need to [link their account](#user-access-and-management). |
### Message: "SAML authentication failed: Extern uid has already been taken, User has already been taken"
diff --git a/doc/user/group/saml_sso/scim_setup.md b/doc/user/group/saml_sso/scim_setup.md
index e38cc73d035..e4dff12b004 100644
--- a/doc/user/group/saml_sso/scim_setup.md
+++ b/doc/user/group/saml_sso/scim_setup.md
@@ -62,7 +62,7 @@ You can then test the connection by clicking on **Test Connection**. If the conn
#### Configure attribute mapping
-1. Click on `Synchronize Azure Active Directory Users to AppName`, to configure the attribute mapping.
+1. Click on `Synchronize Azure Active Directory Users to AppName` to configure the attribute mapping.
1. Click **Delete** next to the `mail` mapping.
1. Map `userPrincipalName` to `emails[type eq "work"].value` and change its **Matching precedence** to `2`.
1. Map `mailNickname` to `userName`.
@@ -74,33 +74,25 @@ You can then test the connection by clicking on **Test Connection**. If the conn
1. Create a new mapping:
1. Click **Add New Mapping**.
1. Set:
- - **Source attribute** to the unique identifier determined above.
- - **Target attribute** to `id`.
+ - **Source attribute** to the unique identifier determined above, typically `objectId`.
+ - **Target attribute** to `externalId`.
- **Match objects using this attribute** to `Yes`.
- **Matching precedence** to `1`.
-1. Create another new mapping:
- 1. Click **Add New Mapping**.
- 1. Set:
- - **Source attribute** to the unique identifier determined above.
- - **Target attribute** to `externalId`.
-1. Click the `userPrincipalName` mapping and change **Match objects using this attribute** to `No`.
- Save your changes and you should have the following configuration:
+1. Click the `userPrincipalName` mapping and change **Match objects using this attribute** to `No`.
- ![Azure's attribute mapping configuration](img/scim_attribute_mapping.png)
+1. Save your changes. For reference, you can view [an example configuration in the troubleshooting reference](../../../administration/troubleshooting/group_saml_scim.md#azure-active-directory).
- NOTE: **Note:** If you used a unique identifier **other than** `objectId`, be sure to map it instead to both `id` and `externalId`.
+ NOTE: **Note:** If you used a unique identifier **other than** `objectId`, be sure to map it to `externalId`.
1. Below the mapping list click on **Show advanced options > Edit attribute list for AppName**.
-1. Leave the `id` as the primary and only required field.
+1. Ensure the `id` is the primary and required field, and `externalId` is also required.
NOTE: **Note:**
`username` should neither be primary nor required as we don't support
that field on GitLab SCIM yet.
- ![Azure's attribute advanced configuration](img/scim_advanced.png)
-
1. Save all the screens and, in the **Provisioning** step, set
the `Provisioning Status` to `On`.