Skip to content
GitLab
Next
    • Why GitLab
    • Pricing
    • Contact Sales
    • Explore
  • Why GitLab
  • Pricing
  • Contact Sales
  • Explore
  • Sign in
  • Get free trial
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #13481

Map existing users to groups using Group Managed Accounts

Overview

Currently, attempting to create a group managed account when a user with that email already exists throws an error:

image

In this scenario, the user already exists on GitLab.com with that email address as their primary address. That user must now:

  • Log into that account,
  • De-associate that account with their email address from the connected identity provider,
  • SSO in again and create their linked user.

Instead - since we know that the user has access to the email address based on the SAML response from the identity provider - we should just map the current user to the group as a managed account.

Proposal

  • If a user exists with a confirmed primary email address that matches the email address we receive from the connected identity provider, ask the user if they'd like to map that user to the group.
    • If so, set the existing user account with that email address as a group managed account. Log the user into the account.
    • If not, they'll need to free up their email address on that account and SSO in again.

Availability & Testing

This feature appears to be low risk in terms of availability.

In addition to unit and feature level tests, exiting group managed accounts end-to-end test should be extended to cover this feature.

It is also recommended to get a security review of the MR done because of the concerns mentioned in this comment: #13481 (comment 253374270)

Edited Feb 25, 2020 by Sanad Liaquat
Assignee
Assign to
Time tracking