Map existing users to groups using Group Managed Accounts (#13481) · Issues · GitLab.org / GitLab

Map existing users to groups using Group Managed Accounts

Overview

Currently, attempting to create a group managed account when a user with that email already exists throws an error:

In this scenario, the user already exists on GitLab.com with that email address as their primary address. That user must now:

Log into that account,
De-associate that account with their email address from the connected identity provider,
SSO in again and create their linked user.

Instead - since we know that the user has access to the email address based on the SAML response from the identity provider - we should just map the current user to the group as a managed account.

Proposal

If a user exists with a confirmed primary email address that matches the email address we receive from the connected identity provider, ask the user if they'd like to map that user to the group.
- If so, set the existing user account with that email address as a group managed account. Log the user into the account.
- If not, they'll need to free up their email address on that account and SSO in again.

Availability & Testing

This feature appears to be low risk in terms of availability.

In addition to unit and feature level tests, exiting group managed accounts end-to-end test should be extended to cover this feature.

It is also recommended to get a security review of the MR done because of the concerns mentioned in this comment: #13481 (comment 253374270)

## Overview

Currently, attempting to create a group managed account when a user with that email already exists throws an error:

![image](/uploads/bba2fd5abc41cb1af9d38b58bf751192/image.png)

In this scenario, the user already exists on GitLab.com with that email address as their primary address. That user must now:
* Log into that account,
* De-associate that account with their email address from the connected identity provider,
* SSO in again and create their linked user.

Instead - since we know that the user has access to the email address based on the SAML response from the identity provider - we should just map the current user to the group as a managed account.

## Proposal

* If a user exists with a confirmed primary email address that matches the email address we receive from the connected identity provider, ask the user if they'd like to map that user to the group.
  * If so, set the existing user account with that email address as a group managed account. Log the user into the account.
  * If not, they'll need to free up their email address on that account and SSO in again.

### Availability & Testing

<!-- This section needs to be retained and filled in during the workflow planning breakdown phase of this feature proposal, if not earlier.

What risks does this change pose to our availability? How might it affect the quality of the product? What additional test coverage or changes to tests will be needed? Will it require cross-browser testing?

Please list the test areas (unit, integration and end-to-end) that needs to be added or updated to ensure that this feature will work as intended. Please use the list below as guidance.
* Unit test changes
* Integration test changes
* End-to-end test change

See the test engineering planning process and reach out to your counterpart Software Engineer in Test for assistance: https://about.gitlab.com/handbook/engineering/quality/test-engineering/#test-planning -->

This feature appears to be low risk in terms of availability.

In addition to unit and feature level tests, [exiting group managed accounts end-to-end test](https://gitlab.com/gitlab-org/gitlab/blob/master/qa/qa/specs/features/ee/browser_ui/1_manage/group/group_saml_group_managed_accounts_spec.rb) should be extended to cover this feature.

It is also recommended to get a ~security review of the MR done because of the concerns mentioned in this comment: https://gitlab.com/gitlab-org/gitlab/issues/13481#note_253374270

Edited Feb 25, 2020 by Sanad Liaquat

Discussion
Designs

Map existing users to groups using Group Managed Accounts

Overview

Proposal

Availability & Testing

Linked issues