Map existing users to groups using Group Managed Accounts

Overview

Currently, attempting to create a group managed account when a user with that email already exists throws an error:

In this scenario, the user already exists on GitLab.com with that email address as their primary address. That user must now:

• Log into that account,
• De-associate that account with their email address from the connected identity provider,
• SSO in again and create their linked user.

Instead - since we know that the user has access to the email address based on the SAML response from the identity provider - we should just map the current user to the group as a managed account.

Proposal

• If a user exists with a confirmed primary email address that matches the email address we receive from the connected identity provider, ask the user if they'd like to map that user to the group.
  • If so, set the existing user account with that email address as a group managed account. Log the user into the account.
  • If not, they'll need to free up their email address on that account and SSO in again.

Availability & Testing

This feature appears to be low risk in terms of availability.

In addition to unit and feature level tests, exiting group managed accounts end-to-end test should be extended to cover this feature.

It is also recommended to get a security review of the MR done because of the concerns mentioned in this comment: #13481 (comment 253374270)