Beyond Identity
DETAILS: Tier: Premium, Ultimate Offering: Self-managed, GitLab Dedicated
- Introduced in GitLab 16.9.
Configure GitLab to verify GPG keys issued by Beyond Identity added to a user profile.
Set up the Beyond Identity integration for your instance
Prerequisites:
- You must have administrator access to the GitLab instance.
- The email address used in the GitLab profile must be the same as the email assigned to the key in the Beyond Identity Authenticator.
- You must have a Beyond Identity API token. You can request it from their Sales Engineer.
To enable the Beyond Identity integration for your instance:
- Sign in to GitLab as an administrator.
- On the left sidebar, at the bottom, select Admin.
- Select Settings > Integrations.
- Select Beyond Identity.
- Under Enable integration, select the Active checkbox.
- In API token, paste the API token you received from Beyond Identity.
- Select Save changes.
The Beyond Identity integration for your instance is now enabled.
GPG key verification
When a user adds a GPG key to their profile, the key is verified:
- If the key wasn't issued by the Beyond Identity Authenticator, it's accepted.
- If the key was issued by the Beyond Identity Authenticator, but the key is invalid, it's rejected. For example: the email used in the user's GitLab profile is different from the email assigned to the key in the Beyond Identity Authenticator.
When a user pushes a commit, GitLab checks that the commit was signed by a GPG signature uploaded to the user profile. If the signature cannot be verified, the push is rejected. Web commits are accepted without a signature.
Skip push check for service accounts
- Introduced in GitLab 16.11.
Prerequisites:
- You must have administrator access to the GitLab instance.
To skip the push check for service accounts:
- Sign in to GitLab as an administrator.
- On the left sidebar, at the bottom, select Admin.
- Select Settings > Integrations.
- Select Beyond Identity.
- Select the Exclude service accounts checkbox.
- Select Save changes.
Exclude groups or projects from the Beyond Identity check
- Introduced in GitLab 17.0 with a flag named
beyond_identity_exclusions
. Enabled by default.- Ability to exclude groups introduced in GitLab 17.1.
FLAG: The availability of this feature is controlled by a feature flag. For more information, see the history. This feature is available for testing, but not ready for production use.
Prerequisites:
- You must have administrator access to the GitLab instance.
To exclude groups or projects from the Beyond Identity check:
- Sign in to GitLab as an administrator.
- On the left sidebar, at the bottom, select Admin.
- Select Settings > Integrations.
- Select Beyond Identity.
- Select the Exclusions tab.
- Select Add exclusions.
- On the drawer, search and select groups or projects to exclude.
- Select Add exclusions.