Enterprise users (PREMIUM SAAS)

Enterprise users have user accounts that are administered by an organization that has purchased a GitLab subscription.

Enterprise users are identified by the Enterprise badge next to their names on the Members list.

Provision an enterprise user

A user account is considered an enterprise account when:

  • A user without an existing GitLab user account uses the group's SAML SSO to sign in for the first time.
  • SCIM creates the user account on behalf of the group.

A user can also manually connect an identity provider (IdP) to a GitLab account whose email address matches the subscribing organization's domain. By selecting Authorize when connecting these two accounts, the user account with the matching email address is classified as an enterprise user. However, this user account does not have an Enterprise badge in GitLab.

Although a user can be a member of more than one group, each user account can be provisioned by only one group. As a result, a user is considered an enterprise user under one top-level group only.

Verified domains for groups

The following automated processes use verified domains to run:

Set up a verified domain


  • A project with GitLab Pages, served under the default Pages domain *.gitlab.io.
  • A custom domain name example.com or subdomain subdomain.example.com.
  • Access to your domain's server control panel to set up a DNS TXT record to verify your domain's ownership.

Setting up a verified domain is similar to setting up a custom domain on GitLab Pages. However, you must:

  • Only configure the DNS TXT record to verify the domain's ownership.
  • Ignore instructions for the A, CNAME, and ALIAS records.
  1. Add a custom domain for the matching email domain.
    • The domain must match the email domain exactly. For example, if your email is username@example.com, verify the example.com domain.
  2. Get a verification code.
  3. Set up the DNS TXT for your custom domain.
  4. Verify the domain's ownership.
  5. Optional. Add more domain aliases.

View domains in group

To view all configured domains in your group:

  1. On the top bar, select Main menu > Groups and find your top-level group.
  2. On the left sidebar, select Settings > Domain Verification.

You then see:

  • A list of added domains.
  • The domains' status of Verified or Unverified.
  • The project where the domain has been configured.

Manage enterprise users in a namespace

A top-level Owner of a namespace on a paid plan can retrieve information about and manage enterprise user accounts in that namespace.

These enterprise user-specific actions are in addition to the standard group member permissions.

Disable two-factor authentication

Introduced in GitLab 15.8.

Top-level group Owners can disable two-factor authentication (2FA) for enterprise users.

To disable 2FA:

  1. On the top bar, select Main menu > Groups and find your group.
  2. On the left sidebar, select Group information > Members.
  3. Find a user with the Enterprise and 2FA badges.
  4. Select More actions ({ellipsis_v}) and select Disable two-factor authentication.

Prevent users from creating groups and projects outside the corporate group

A SAML identity administrator can configure the SAML response to set:

  • Whether users can create groups.
  • The maximum number of personal projects users can create.

For more information, see the supported user attributes for SAML responses.

Bypass email confirmation for provisioned users

A top-level group Owner can set up verified domains to bypass confirmation emails.

Get users' email addresses through the API

A top-level group Owner can use the group and project members API to access users' information, including email addresses.