Skip to content

GitLab Next

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
GitLab
GitLab
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Locked Files
  • Issues 34,942
    • Issues 34,942
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
    • Iterations
  • Merge Requests 1,268
    • Merge Requests 1,268
  • Requirements
    • Requirements
    • List
  • CI / CD
    • CI / CD
    • Pipelines
    • Jobs
    • Schedules
    • Test Cases
  • Security & Compliance
    • Security & Compliance
    • Dependency List
    • License Compliance
  • Operations
    • Operations
    • Metrics
    • Incidents
    • Environments
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • CI / CD
    • Code Review
    • Insights
    • Issue
    • Repository
    • Value Stream
  • Snippets
    • Snippets
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
  • GitLab.org
  • GitLabGitLab
  • Issues
  • #13481

Closed
Open
Opened Aug 12, 2019 by Jeremy Watson@jeremy-gl🤠Maintainer

Map existing users to groups using Group Managed Accounts

Overview

Currently, attempting to create a group managed account when a user with that email already exists throws an error:

image

In this scenario, the user already exists on GitLab.com with that email address as their primary address. That user must now:

  • Log into that account,
  • De-associate that account with their email address from the connected identity provider,
  • SSO in again and create their linked user.

Instead - since we know that the user has access to the email address based on the SAML response from the identity provider - we should just map the current user to the group as a managed account.

Proposal

  • If a user exists with a confirmed primary email address that matches the email address we receive from the connected identity provider, ask the user if they'd like to map that user to the group.
    • If so, set the existing user account with that email address as a group managed account. Log the user into the account.
    • If not, they'll need to free up their email address on that account and SSO in again.

Availability & Testing

This feature appears to be low risk in terms of availability.

In addition to unit and feature level tests, exiting group managed accounts end-to-end test should be extended to cover this feature.

It is also recommended to get a security review of the MR done because of the concerns mentioned in this comment: #13481 (comment 253374270)

Edited Feb 25, 2020 by Sanad Liaquat
Assignee
Assign to
12.9
Milestone
12.9 (Past due)
Assign milestone
Time tracking
None
Due date
None
Reference: gitlab-org/gitlab#13481