Map existing users to groups using Group Managed Accounts
Overview
Currently, attempting to create a group managed account when a user with that email already exists throws an error:
In this scenario, the user already exists on GitLab.com with that email address as their primary address. That user must now:
- Log into that account,
- De-associate that account with their email address from the connected identity provider,
- SSO in again and create their linked user.
Instead - since we know that the user has access to the email address based on the SAML response from the identity provider - we should just map the current user to the group as a managed account.
Proposal
- If a user exists with a confirmed primary email address that matches the email address we receive from the connected identity provider, ask the user if they'd like to map that user to the group.
- If so, set the existing user account with that email address as a group managed account. Log the user into the account.
- If not, they'll need to free up their email address on that account and SSO in again.
Availability & Testing
This feature appears to be low risk in terms of availability.
In addition to unit and feature level tests, exiting group managed accounts end-to-end test should be extended to cover this feature.
It is also recommended to get a security review of the MR done because of the concerns mentioned in this comment: #13481 (comment 253374270)