Extend group SCIM to instance level for self-managed users
Manage:Auth
Overview
Extending group SCIM to self-managed GitLab will allow admins end-to-end user lifecycle management, namely, deprovisioning users who are at the end of their lifecycle. This means that users that are deactivated in the identity provider are automatically deactivated in GitLab. Previously, this required a manual step.
SAML SSO was originally introduced as a feature for groups on GitLab.com. We should extend this feature beyond GitLab.com and make it usable for self-managed instances.
Problem statement
SAML SSO was primarily created to serve as a mechanism for groups on GitLab.com to begin using SAML SSO. We've iterated on this and created a nice feature with attractive features like SSO enforcement and group-managed accounts. We'd like to keep iterating and add capabilities like group sync for permissions.
However, Group SSO is largely for GitLab.com and not self-managed. On self-managed, we offer a different set of capabilities. For example:
- Self-managed offers Required Groups, Admin Groups, Auditor Groups, and 2FA bypass.
- GitLab.com does not offer the above, but offers capabilities like SSO enforcement, group-managed accounts, and SCIM.
Ideally, SAML capabilities should be identical across delivery mechanisms and not require us to develop these features on separate tracks:
- A self-managed instance using SAML should be able to use SCIM and SSO enforcement.
Proposal
TBD