Disconnecting a SAML Service should be sufficiently scary

Summary

Clicking Disconnect under https://gitlab.com/profile/account next to any SAML linkage immediately removes a user from the linked namespace, including all subgroup and project memberships and roles. For large namespaces, this can be a very destructive act.

For example, clicking Disconnect for the Gitlab.com group shown here: immediately removes me from https://gitlab.com/gitlab-com/ and thus destroys all subgroup memberships and roles that were previously defined for my user.

What is the expected correct behavior?

The language used in #5016 (closed) states:

if a user is no longer affiliated with an organization or feels uncomfortable having their account affiliated with an identity provider, a user should be able to undo this link.

That's not the case today, hence why this is filed as a bug.

To address this:

• Users should not be removed from the group when group SAML is disconnected.

  • Changes should be isolated to GroupSaml::Identity::DestroyService

• Users should be presented with a sufficiently scary warning dialog explaining that this action may cause them to lose access to the group. #227492 (comment 505854108)

Related Issues

• #5016 (closed)
• #8721

Proposal

Based on the discussion below and on customer expectation of how SAML unlinking should work (via support tickets), we should instead modify the functionality such that user membership are not removed to begin with. This is a better solution that simply displaying a warning banner and matches user expectations (also addresses the use case where a change in subscription status may result in unlinking of SAML IDs due to feature availability)