New SCIM users not created with group SAML connection
Summary
Users not previously sync'ed are being created in GitLab.com but without a SAML link to the group, unverified, and without terms of use accepted.
Steps to reproduce
In Azure AD,
- Turn on SCIM for the first time.
or
- Add new users (no existing account) to SCIM setup.
Example Project
https://gitlab.com/groups/gitlab-silver/-/saml
should have this user: https://gitlab.com/admin/users/GitLab37
Turned on SCIM sync for the first time at approximately 10:30 UTC, which created the user, but unverified email, unconfirmed user, not a member of gitlab-silver
.
This is what happened:
- this user was created: https://gitlab.com/admin/users/GitLab37 however user is unconfirmed, unverified, not a member of the group
- I had to sign in via AzureAD as the user then it asked me to accept the TOS, which I did,
- then it asked me to "Authorize" the app, which I did
- now the user shows up as a member of the group
- though still unconfirmed (since i don't even know how to access the inbox for that user)
identity part of API response for this user:
| identities | |
|------------------|----------------------------------------|
| provider | "group_saml" |
| extern_uid | "00377106-2df4-4815-bcd7-09f1cc4a1008" |
| saml_provider_id | 7 |
For additional context, please see (internal) Slack thread
Originally reported by customer via (internal) https://gitlab.zendesk.com/agent/tickets/145008
What is the current bug behavior?
User is created, but unverified email, unconfirmed user, not a member of gitlab-silver
.
What is the expected correct behavior?
User should be created and added to the group.
Output of checks
GitLab.com, GitLab Enterprise Edition 12.7.0-pre 33d6233e
Workaround
- Have users confirm their account. If they need a new confirmation email: https://gitlab.com/users/confirmation/new
- Reset their password.
- Sign into GitLab if not already. Accept the Terms of use if prompted.
- Have the affected user sign into Azure AD.
- Access GitLab through the list of available apps (or using the Azure app's User access URL, also known as the GitLab single sign on URL on the GitLab SAML settings page with the token).
- In GitLab, authorize the SSO app.