--- comments: false type: index stage: Manage group: Authentication and Authorization info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments --- # GitLab authentication and authorization **(FREE SELF)** GitLab integrates with a number of [OmniAuth providers](../../integration/omniauth.md#supported-providers), and the following external authentication and authorization providers: - [LDAP](ldap/index.md): Includes Active Directory, Apple Open Directory, Open LDAP, and 389 Server. - [Google Secure LDAP](ldap/google_secure_ldap.md) - [SAML for GitLab.com groups](../../user/group/saml_sso/index.md) **(PREMIUM SAAS)** - [Smartcard](smartcard.md) **(PREMIUM SELF)** NOTE: UltraAuth has removed their software which supports OmniAuth integration. We have therefore removed all references to UltraAuth integration. ## SaaS vs Self-Managed Comparison The external authentication and authorization providers may support the following capabilities. For more information, see the links shown on this page for each external provider. | Capability | SaaS | Self-managed | |-------------------------------------------------|-----------------------------------------|------------------------------------| | **User Provisioning** | SCIM
SAML 1 | LDAP 1
SAML 1
[OmniAuth Providers](../../integration/omniauth.md#supported-providers) 1 | | **User Detail Updating** (not group management) | Not Available | LDAP Sync | | **Authentication** | SAML at top-level group (1 provider) | LDAP (multiple providers)
Generic OAuth2
SAML (only 1 permitted per unique provider)
Kerberos
JWT
Smartcard
[OmniAuth Providers](../../integration/omniauth.md#supported-providers) (only 1 permitted per unique provider) | | **Provider-to-GitLab Role Sync** | SAML Group Sync | LDAP Group Sync
SAML Group Sync ([GitLab 15.1](https://gitlab.com/gitlab-org/gitlab/-/issues/285150) and later) | | **User Removal** | SCIM (remove user from top-level group) | LDAP (remove user from groups and block from the instance) | 1. Using Just-In-Time (JIT) provisioning, user accounts are created when the user first signs in.