Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Creating a SAML app in Yandex Identity Hub for integration with Managed Service for GitLab

Written by
Updated at November 12, 2025

Note

This feature is at the Preview stage.

To authenticate your organization's users to Yandex Managed Service for GitLab via SAML SSO, create a SAML app in Identity Hub and configure it appropriately both in Identity Hub and Managed Service for GitLab.

SAML apps can be managed by users with the organization-manager.samlApplications.admin role or higher.

For the users of your organization to be able to access Managed Service for GitLab:

  1. Create a GitLab instance.
  2. Create an app in Identity Hub.
  3. Set up the integration.
  4. Make sure the application works correctly.

Create a GitLab instance

  1. In the management console, select the folder where you want to create a GitLab instance.

  2. Select Managed Service for GitLab.

  3. Click Create instance.

  4. At the top of the page:

    1. Enter the instance name. It must be unique throughout Yandex Cloud.

  5. Under Configuration:

    1. Select the instance type. After you create an instance, you can change its type to a higher performing one.

    2. Specify the availability zone. After you create an instance, you cannot change its availability zone.

    3. Specify the subnet where the instance will be hosted.

    4. Select a security group or create a new one:

      1. Click Create group.
      2. Enter a name and description for the security group. You can add rules for the security group later in Virtual Private Cloud.
      3. Click Create.

    5. Select the disk size. After you create an instance, you can increase its disk size.

    6. Specify the instance domain name: relevant DNS records will be automatically created for it in the .gitlab.yandexcloud.net domain.

    7. Set up the retention period for automatic backups (in days).

  6. Under Administrator data, specify:

    • Email: Email address of the GitLab instance administrator. This is the address to receive the email with a link to create a password.
    • Login: Administrator login.

  7. Click Create.

  8. Wait for the instance to get ready: its status on the Managed Service for GitLab dashboard will change to Running. This may take some time.

Create an app in Identity Hub

  1. Log in to Yandex Identity Hub.
  2. In the left-hand panel, select Apps.
  3. In the top-right corner, click Create application and in the window that opens:

    1. Select the SAML (Security Assertion Markup Language) single sign-on method.

    2. In the Name field, specify a name for your new app: managed-gitlab-app.

    3. Optionally, in the Description field, enter a description for the new app.

    4. Optionally, add labels:

      1. Click Add label.
      2. Enter a label in key: value format.
      3. Press Enter.

    5. Click Create application.

  4. Save the Login URL, Issuer / IdP EntityID and Fingerprint values as you will need them in the next step.

Set up the integration

Set up GitLab authentication using OmniAuth

To enable GitLab authentication using OmniAuth, add an authentication provider:

  1. In the management console, go to the folder dashboard and select Managed Service for GitLab.

  2. Click the instance you created and select the OmniAuth tab.

  3. Click Configure.

  4. To add an authentication provider, click Add.

  5. Select SAML for the type and configure the provider as follows:

    • Label: Name of the authentication provider. Specify any name, e.g., Identity Hub.
    • Assertion consumer service URL: HTTPS endpoint of the GitLab instance. To create this URL, add /users/auth/saml/callback to your GitLab instance URL, such as https://example.gitlab.yandexcloud.net/users/auth/saml/callback.
    • IDP certificate fingerprint: SHA1 fingerprint of a public certificate key. Use the Fingerprint field value you got when creating the app in Identity Hub.
    • IDP SSO target URL: URL of the IdP. Use the Login URL field value.
    • Issuer: Unique ID of the application where user authentication will be performed, such as https://example.gitlab.yandexcloud.net.
    • Name identifier format: Name ID format. Set it to Persistent.
    • Allow single sign on: Allow using SSO. Set the true value. If set to false, only users who already have a GitLab account will be able to authenticate.
    • Auto link users by email: Map the username in OmniAuth to that in GitLab if they have the same email address linked. Set the true value.
    • Block auto-created users: Automatically switch the created accounts to Pending approval until they get approved by an administrator. Set the false value.
    • External provider: Set the external attribute for the provider. Users authenticated through this provider will be treated as external and will have no access to internal projects. Set the false value.
    • Auto link LDAP user: Create an LDAP entity for automatically created accounts. This parameter only applies to instances with an LDAP provider connected. Set the false value.

  6. Click Create.

Set up the SAML application in Yandex Identity Hub

Set up service provider endpoints

  1. Log in to Yandex Identity Hub.
  2. In the left-hand panel, select Apps and then, the SAML app.
  3. At the top right, click Edit and in the window that opens:
    1. In the SP EntityID field, provide the endpoint URL you specified under Issuer when setting up OmniAuth.
    2. In the ACS URL field, provide the endpoint URL you specified under Assertion consumer service URL when setting up OmniAuth, e.g., https://example.gitlab.yandexcloud.net/users/auth/saml/callback.
    3. Click Save.

Configure user attributes

Warning

For integration with GitLab, users must have the email attribute.

  1. Log in to Yandex Identity Hub.

  2. In the left-hand panel, select Apps and select the desired app.

  3. Navigate to the Attributes tab.

  4. Click the emailaddress attribute and do the following in the window that opens:

    1. Change the Attribute name field value to email.
    2. Click Update.

For more information about configuring attributes, see Configure user and group attributes.

Add a user

For your organization's users to be able to authenticate in GitLab with Identity Hub's SAML app, you need to explicitly add these users and/or user groups to the SAML application.

Note

Users and groups added to a SAML application can be managed by a user with the organization-manager.samlApplications.userAdmin role or higher.

  1. Add users to the application:

    1. Log in to Yandex Identity Hub.
    2. In the left-hand panel, select Apps and select the required app.
    3. Navigate to the Users and groups tab.
    4. Click Add users.
    5. In the window that opens, select the required user or user group.
    6. Click Add.

Make sure your application works correctly

To make sure both your SAML app and GitLab integration work correctly, authenticate to GitLab as one of the users you added to the app. Proceed as follows:

  1. In your browser, open the URL of your GitLab instance, e.g., https://example.gitlab.yandexcloud.net.
  2. If you are already authenticated in GitLab, log out.
  3. On the GitLab authentication page, click the name of the authentication provider you created (Identity Hub in this example).
  4. On the Yandex Cloud authentication page, enter the user email address and password. The user or group they belong to must be added to the application. The user must also have their email address specified.
  5. Make sure you have successfully authenticated in GitLab.
Previous
Managed Service for OpenSearch
Next
Zabbix