Group SAML should not allow sign in when SCIM is deactivated
Follow up from #208940 (closed)
When a SCIM identity is present and is marked as deactivated (active
is false
) we should not allow SAML sign in. Currently, SAML will allow sign in regardless of what SCIM says as long as the SAML IdP says it's OK.
In many cases the SAML and SCIM IdP should be the same so it's not a huge problem. But for edge cases we should add this protection. SCIM should be the 'source of truth' for the activation/deactivation.