Extend group SCIM to instance level
SAML SSO was originally introduced as a feature for groups on GitLab.com. We should extend this feature beyond GitLab.com and make it usable for self-managed instances.
SAML SSO was primarily created to serve as a mechanism for groups on GitLab.com to begin using SAML SSO. We've iterated on this and created a nice feature with attractive features like SSO enforcement and group-managed accounts. We'd like to keep iterating and add capabilities like group sync for permissions.
However, Group SSO is largely for GitLab.com and not self-managed. On self-managed, we offer a different set of capabilities. For example:
- Self-managed offers Required Groups, Admin Groups, Auditor Groups, and 2FA bypass.
- GitLab.com does not offer the above, but offers capabilities like SSO enforcement, group-managed accounts, and SCIM.
Ideally, SAML capabilities should be identical across delivery mechanisms and not require us to develop these features on separate tracks:
- A self-managed instance using SAML should be able to use SCIM and SSO enforcement.