SCIM does not allow a new user to sign in via SAML without local sign in
Apparently SCIM and SAML used to allow a SCIM-created user to sign in with SAML without first signing in with a GitLab.com local/existing account. For example, if a user had never used gitlab.com before, but SCIM created them a user, the user could sign in via SSO and that's the only authentication they would require.
Now that scim_identities
has been enabled, it seems this flow is broken. Here's what it looks like:
- SCIM creates the user and the
scim_identities
. - User visits the group SAML SSO sign in page and clicks 'Sign in with Single Sign-On' button.
- User gets redirected to the SAML provider to sign in.
- On redirect, user is sent to the regular GitLab sign in page with a message that they must sign in or sign up to link their account.
Workaround
- Have user reset their password.
- Follow existing user linking flow.
Edited by Cynthia "Arty" Ng