Beyond Identity

{{< details >}}

• Tier: Premium, Ultimate
• Offering: GitLab Self-Managed, GitLab Dedicated

{{< /details >}}

{{< history >}}

• Introduced in GitLab 16.9.

{{< /history >}}

In GitLab, users can sign their commits after adding a GPG key to their profile. The GitLab integration with Beyond Identity extends this feature.

When configured, this integration uses Beyond Identity to validate any new GPG key that a user adds to their profile. Keys that do not pass validation are rejected, and the user must upload a new key.

When a user pushes a signed commit to the GitLab instance, GitLab runs a pre-receive check to validate those commits against the GPG key stored in the user's profile. This ensures that only commits signed with validated keys are accepted.

Set up the Beyond Identity integration for your instance

Prerequisites:

• You must have administrator access to the GitLab instance.
• The email address used in the GitLab profile must be the same as the email assigned to the key in the Beyond Identity Authenticator.
• You must have a Beyond Identity API token. You can request it from their Sales Engineer.

To enable the Beyond Identity integration for your instance:

1. Sign in to GitLab as an administrator.
2. In the upper-right corner, select Admin.
3. Select Settings > Integrations.
4. Select Beyond Identity.
5. Under Enable integration, select the Active checkbox.
6. In API token, paste the API token you received from Beyond Identity.
7. Select Save changes.

The Beyond Identity integration for your instance is now enabled.

GPG key verification

When a user adds a GPG key to their profile, the key is verified:

• If the key wasn't issued by the Beyond Identity Authenticator, it's accepted.
• If the key was issued by the Beyond Identity Authenticator, but the key is invalid, it's rejected. For example: the email used in the user's GitLab profile is different from the email assigned to the key in the Beyond Identity Authenticator.

When a user pushes a commit, GitLab checks that the commit was signed by a GPG signature uploaded to the user profile. If the signature cannot be verified, the push is rejected. Web commits are accepted without a signature.

Skip push check for service accounts

{{< history >}}

• Introduced in GitLab 16.11.

{{< /history >}}

Prerequisites:

• You must have administrator access to the GitLab instance.

To skip the push check for service accounts:

1. Sign in to GitLab as an administrator.
2. In the upper-right corner, select Admin.
3. Select Settings > Integrations.
4. Select Beyond Identity.
5. Select the Exclude service accounts checkbox.
6. Select Save changes.

Exclude groups or projects from the Beyond Identity check

{{< history >}}

• Introduced in GitLab 17.0 with a flag named beyond_identity_exclusions. Enabled by default.
• Option to exclude groups introduced in GitLab 17.1.
• Generally available in GitLab 17.7. Feature flag beyond_identity_exclusions removed.

{{< /history >}}

Prerequisites:

• You must have administrator access to the GitLab instance.

To exclude groups or projects from the Beyond Identity check:

1. Sign in to GitLab as an administrator.
2. In the upper-right corner, select Admin.
3. Select Settings > Integrations.
4. Select Beyond Identity.
5. Select the Exclusions tab.
6. Select Add exclusions.
7. On the drawer, search and select groups or projects to exclude.
8. Select Add exclusions.