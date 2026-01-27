Single sign-on (SSO) simplifies user authentication and improves security by allowing employees to access multiple applications with one set of credentials. For organizations using both GitLab and Google Workspace, integrating SAML-based SSO streamlines access management and ensures your teams can collaborate seamlessly.
In this guide, we'll walk through configuring SAML authentication between Google Workspace and GitLab.com, including automatic group synchronization that maps Google Workspace groups to GitLab roles. By the end, your users will be able to sign in to GitLab using their Google credentials, and their permissions will automatically reflect their Google group memberships.
Critical: The app attribute name MUST be exactly groups (lowercase). This is what GitLab expects to receive in the SAML response. Any other value or capitalization will prevent group synchronization from working.
Step 8: Enable the application for users
Your SAML app is created but not yet enabled. To make it available to users:
In the Google Admin Console, find your GitLab app in the Web and mobile apps list.
Click on the app to open its details.
In the left sidebar, click User access.
Select one of the following:
ON for everyone - Enables the app for all users in your organization
ON for some organizational units - Select specific organizational units
Click Save.
Note: Changes can take up to 24 hours to propagate, but typically take effect within a few minutes.
Part 3: Convert the certificate to SHA-1 fingerprint format
GitLab requires a SHA-1 certificate fingerprint, but Google's certificate download doesn't include this format directly. You'll need to convert it.
Step 9: Convert your certificate
You have two options for converting the certificate to the required format.
Option 1: Online conversion tool
This is a viable method if you're comfortable using a third-party tool:
Locate the certificate file you downloaded in Step 5:
Check your Downloads folder
The file name will be something like: GoogleIDPCertificate-gitlab.pem
Open the file in a text editor:
Mac: Right-click > Open With > TextEdit
Windows: Right-click > Open With > Notepad
Linux: Use your preferred text editor
Copy ALL contents of the file, including the header and footer:
You should be redirected to the Google sign-in page.
Sign in with a Google Workspace account that has access to the GitLab app.
After successful authentication, you should be redirected back to GitLab.
If the test succeeds, you can proceed to configure group synchronization.
If the test fails, check the following:
Verify the certificate fingerprint is SHA-1 format (not SHA-256).
Confirm the SSO URL is correct.
Ensure the user has access to the GitLab SAML app in Google Admin Console.
Check that the ACS URL and Entity ID match exactly.
Part 5: Set up SAML group synchronization
Now it's time to map your Google Workspace groups to GitLab roles so that permissions are automatically managed based on group membership.
Step 13: Configure default membership role
As a security best practice, set a minimal default role for users who log in but don't belong to any mapped groups:
In your GitLab group, navigate to Settings > General.
Expand the Permissions and group features section.
Under Default membership role, select Minimal Access or Guest.
Click Save changes.
Step 14: Create SAML group links
SAML Group Links are the mappings between Google Workspace groups and GitLab roles. Here's how to create them:
In your GitLab group, navigate to Settings > SAML Group Links.
Click "Add new SAML Group Link".
For each Google Workspace group you want to sync:
SAML Group Name:
Enter the exact name of your Google Workspace group
This is case-sensitive and must match perfectly
Example: Engineering (not engineering)
To find the exact name: Google Admin Console > Directory > Groups
Access Level: Select the appropriate GitLab role:
Minimal Access - Can see that the group exists
Guest - Can view issues and leave comments
Reporter - Can pull code, view issues, and create new issues
Developer - Can push code, create merge requests, and manage issues
Maintainer - Can manage project settings and members
Owner - Full administrative control over the group
Click Save.
Repeat this process for each Google Workspace group you want to map.
Note: SAML group sync rules are enforced every time a user signs in. If a user's Google group membership matches a sync rule, their GitLab role will be automatically set to the configured access level, even if you've manually changed it to something different. For example, if you set up a sync rule that grants "Maintainer" access and then manually promote a user to "Owner," they'll be automatically downgraded back to "Maintainer" on their next SAML sign-in.
Best practices: To maintain custom access levels for specific users, do one of the following:
Use SAML group sync only on your top-level group and manually manage permissions in subgroups
Create separate Google groups for users who need elevated permissions
Avoid setting up sync rules that would conflict with manual role assignments
Here's a practical example of how you might structure your group mappings:
Google Workspace Group
GitLab Role
Purpose
GitLab-Admins
Owner
Full administrative access
Engineering-Team
Maintainer
Can manage projects and settings
Developer-Team
Developer
Can write and push code
QA-Team
Developer
Can test and manage issues
Contractors
Reporter
Read-only access to code
All-Employees
Minimal Access
Basic visibility
Step 15: Verify your group links
After creating all your group links:
Review the complete list of SAML Group Links in Settings > SAML Group Links.
Verify each SAML Group Name exactly matches the corresponding Google Workspace group.
Verify each Access Level is appropriate for the intended purpose.
Check for any typos or extra spaces.
Part 6: Test the complete configuration
Now it's time to test the entire setup including group synchronization.
Step 16: Test with a real user
Choose a test user who meets these criteria:
Has a Google Workspace account
Is a member of at least one Google Workspace group you configured
Has the GitLab SAML app enabled in Google Admin Console
Ideally is not you (to ensure a realistic test)
To perform the test:
Open an incognito or private browsing window
Navigate to your GitLab SSO URL:
https://gitlab.com/groups/your-group/-/saml/sso
Sign in with the test user's Google Workspace credentials
The user should be:
Authenticated successfully
Redirected to GitLab
Automatically added to the GitLab group
Assigned the appropriate role based on their Google group membership
Step 17: Verify group membership and role assignment
Using your GitLab administrator account:
Navigate to your group in GitLab.
Select Manage > Members from the left sidebar.
Find the test user in the members list.
Verify the following:
User appears in the members list
User has the correct Max role based on their Google group(s)
Source column shows a SAML indicator
Part 7: Configure subgroup access (optional)
For larger organizations, you may want to provide more granular access control using GitLab subgroups. SAML Group Links can be configured at any level of your group hierarchy, allowing you to map different Google Workspace groups to specific teams or projects.
Understanding GitLab's subgroup structure
GitLab supports nested group hierarchies that can mirror your organizational structure: