Skip to content

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
    • Help
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
GitLab Enterprise Edition
GitLab Enterprise Edition
  • Project
    • Project
    • Details
    • Activity
    • Releases
    • Cycle Analytics
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Charts
    • Locked Files
  • Issues 3,583
    • Issues 3,583
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Merge Requests 207
    • Merge Requests 207
  • CI / CD
    • CI / CD
    • Pipelines
    • Jobs
    • Schedules
    • Charts
  • Registry
    • Registry
  • Snippets
    • Snippets
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Graph
  • Charts
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
  • GitLab.org
  • GitLab Enterprise EditionGitLab Enterprise Edition
  • Issues
  • #5014

Closed
Open
Opened Feb 22, 2018 by Jeremy Watson@jeremy🕺🏻
  • Report abuse
  • New issue
Report abuse New issue

Automatically deprovision users when removed from a configured identity provider

Description

Problem

This issue is related to the ongoing SSO work for GitLab.com 🚀

After an employee leaves a company, we need to ensure they're not still a member of the group they previously used their SAML login with. This needs to happen immediately or else the employee might still be within the grace period and access notifications, SSH, API, etc.

As a secondary effect, if we don't remove them from the group, they'll continue to show up in the Members list.

Proposal

We should use SCIM 2.0 to enable provisioning and deprovisioning when users are removed from identity providers that support the SCIM protocol. We're investigating this here.

  • If a user is removed from the IdP, they should be immediately removed from the associated groups in GitLab.
    • No longer in Members of the associated group.
    • If a user logs into their GitLab.com account, they should not be able to access the group.

Potential Edge cases:

  • After being removed from a group, it should be possible for a GitLab user to link different SAML credentials to that same GitLab group
  • After being removed from a group, it should be possible to link a different GitLab user with the previous SAML identity provider credentials in that same GitLab group

Links / references

  • GitHub
Edited Jan 18, 2019 by Jeremy Watson

Related issues

Assignee
Assign to
Epic
11.9
Milestone
11.9
Assign milestone
Time tracking
None
Due date
No due date
11
Labels
Deliverable In dev Manage P1 authentication backend devops:manage direction feature gitlab.com saml
Assign labels
  • View project labels
Reference: gitlab-org/gitlab-ee#5014