Automatically deprovision users when removed from a configured identity provider
Description
Problem
This issue is related to the ongoing SSO work for GitLab.com
After an employee leaves a company, we need to ensure they're not still a member of the group they previously used their SAML login with. This needs to happen immediately or else the employee might still be within the grace period and access notifications, SSH, API, etc.
As a secondary effect, if we don't remove them from the group, they'll continue to show up in the Members list.
Proposal
We should use SCIM 2.0 to enable provisioning and deprovisioning when users are removed from identity providers that support the SCIM protocol. We're investigating this here.
- If a user is removed from the IdP, they should be immediately removed from the associated groups in GitLab.
- No longer in Members of the associated group.
- If a user logs into their GitLab.com account, they should not be able to access the group.
Potential Edge cases:
- After being removed from a group, it should be possible for a GitLab user to link different SAML credentials to that same GitLab group
- After being removed from a group, it should be possible to link a different GitLab user with the previous SAML identity provider credentials in that same GitLab group
Links / references
Edited by Jeremy Watson (ex-GitLab)