debian-mirror-gitlab/doc/administration/auth/index.md

---
comments: false
type: index
stage: Manage
group: Authentication and Authorization
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
---

# GitLab authentication and authorization **(FREE SELF)**

GitLab integrates with a number of [OmniAuth providers](../../integration/omniauth.md#supported-providers),
and the following external authentication and authorization providers:

- [LDAP](ldap/index.md): Includes Active Directory, Apple Open Directory, Open LDAP,
  and 389 Server.
  - [Google Secure LDAP](ldap/google_secure_ldap.md)
- [SAML for GitLab.com groups](../../user/group/saml_sso/index.md) **(PREMIUM SAAS)**
- [Smartcard](smartcard.md) **(PREMIUM SELF)**

NOTE:
UltraAuth has removed their software which supports OmniAuth integration. We have therefore removed all references to UltraAuth integration.

## SaaS vs Self-Managed Comparison

The external authentication and authorization providers may support the following capabilities.
For more information, see the links shown on this page for each external provider.

| Capability                                      | SaaS                                    | Self-managed                       |
|-------------------------------------------------|-----------------------------------------|------------------------------------|
| **User Provisioning**                           | SCIM<br>SAML <sup>1</sup> | LDAP <sup>1</sup><br>SAML <sup>1</sup><br>[OmniAuth Providers](../../integration/omniauth.md#supported-providers) <sup>1</sup> |
| **User Detail Updating** (not group management) | Not Available                           | LDAP Sync                          |
| **Authentication**                              | SAML at top-level group (1 provider)    | LDAP (multiple providers)<br>Generic OAuth2<br>SAML (only 1 permitted per unique provider)<br>Kerberos<br>JWT<br>Smartcard<br>[OmniAuth Providers](../../integration/omniauth.md#supported-providers) (only 1 permitted per unique provider) |
| **Provider-to-GitLab Role Sync**                | SAML Group Sync                         | LDAP Group Sync<br>SAML Group Sync ([GitLab 15.1](https://gitlab.com/gitlab-org/gitlab/-/issues/285150) and later) |
| **User Removal**                                | SCIM (remove user from top-level group) | LDAP (remove user from groups and block from the instance) |

1. Using Just-In-Time (JIT) provisioning, user accounts are created when the user first signs in.
New upstream version 14.1.7+ds1 2021-09-30 23:02:18 +05:30			`---`
			`comments: false`
			`type: index`
			`stage: Manage`
New upstream version 14.8.5+ds1 2022-04-04 11:22:00 +05:30			`group: Authentication and Authorization`
New upstream version 14.1.7+ds1 2021-09-30 23:02:18 +05:30			`info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments`
			`---`

			`# GitLab authentication and authorization (FREE SELF)`

New upstream version 15.1.3+ds1 2022-07-23 23:45:48 +05:30			`GitLab integrates with a number of [OmniAuth providers](../../integration/omniauth.md#supported-providers),`
			`and the following external authentication and authorization providers:`

New upstream version 14.1.7+ds1 2021-09-30 23:02:18 +05:30			`- [LDAP](ldap/index.md): Includes Active Directory, Apple Open Directory, Open LDAP,`
			`and 389 Server.`
			`- [Google Secure LDAP](ldap/google_secure_ldap.md)`
			`- [SAML for GitLab.com groups](../../user/group/saml_sso/index.md) (PREMIUM SAAS)`
			`- [Smartcard](smartcard.md) (PREMIUM SELF)`

			`NOTE:`
			`UltraAuth has removed their software which supports OmniAuth integration. We have therefore removed all references to UltraAuth integration.`

			`## SaaS vs Self-Managed Comparison`

			`The external authentication and authorization providers may support the following capabilities.`
			`For more information, see the links shown on this page for each external provider.`

New upstream version 15.2.2+ds1 2022-08-13 15:12:31 +05:30			`\| Capability \| SaaS \| Self-managed \|`
New upstream version 14.1.7+ds1 2021-09-30 23:02:18 +05:30			`\|-------------------------------------------------\|-----------------------------------------\|------------------------------------\|`
New upstream version 15.2.2+ds1 2022-08-13 15:12:31 +05:30			`\| User Provisioning \| SCIM<br>SAML <sup>1</sup> \| LDAP <sup>1</sup><br>SAML <sup>1</sup><br>[OmniAuth Providers](../../integration/omniauth.md#supported-providers) <sup>1</sup> \|`
New upstream version 14.1.7+ds1 2021-09-30 23:02:18 +05:30			`\| User Detail Updating (not group management) \| Not Available \| LDAP Sync \|`
New upstream version 15.2.2+ds1 2022-08-13 15:12:31 +05:30			`\| Authentication \| SAML at top-level group (1 provider) \| LDAP (multiple providers)<br>Generic OAuth2<br>SAML (only 1 permitted per unique provider)<br>Kerberos<br>JWT<br>Smartcard<br>[OmniAuth Providers](../../integration/omniauth.md#supported-providers) (only 1 permitted per unique provider) \|`
New upstream version 15.1.3+ds1 2022-07-23 23:45:48 +05:30			`\| Provider-to-GitLab Role Sync \| SAML Group Sync \| LDAP Group Sync<br>SAML Group Sync ([GitLab 15.1](https://gitlab.com/gitlab-org/gitlab/-/issues/285150) and later) \|`
New upstream version 15.2.2+ds1 2022-08-13 15:12:31 +05:30			`\| User Removal \| SCIM (remove user from top-level group) \| LDAP (remove user from groups and block from the instance) \|`

			`1. Using Just-In-Time (JIT) provisioning, user accounts are created when the user first signs in.`