Allow group owners to update group members' SAML (and SCIM) extern_uid via API
Problem to solve
In the past, we recommended using the SCIM API to update users' extern_uid
(called identity
in the web UI), but the SCIM API is used internally (within the system) and was not meant for users to use.
Our current documentation instructs users to re-link their account. However, this resets the user's roles in the group (including subgroups and projects). As such, after relinking they're a Guest
(or default role) in the parent group and that's it.
Additionally, if a group changes SCIM providers or the NameID changes, SCIM identities need to be manually updated or deleted which is possible via the SCIM API though this API is not meant for the end user.
Intended users
Personas are described at https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/
User experience goal
Group owners and/or admins of an organization's SAML provider can update users' extern_uid
on their behalf if the SAML configuration changes.
Potentially, allow users to update this themselves via API as well.
Proposal
Provide an API endpoint to allow group owners to update the SAML extern_uid
on users who have been provisioned by group.
Permissions and Security
-
expected impact to Owner (50) members
Documentation
Update relevant troubleshooting docs:
- https://docs.gitlab.com/ee/user/group/saml_sso/#message-saml-authentication-failed-extern-uid-has-already-been-taken
- https://docs.gitlab.com/ee/user/group/saml_sso/scim_setup.html#update-or-fix-mismatched-scim-externalid-and-saml-nameid
Availability & Testing
TBD
What does success look like, and how can we measure that?
- users can update extern_uid themselves
- support no longer gets related tickets on this particular issue
What is the type of buyer?
Currently affects all Silver and Gold customers.
Links / references
- Latest case: https://gitlab.zendesk.com/agent/tickets/163759
Workarounds
- On self-managed, an admin can change the SAML
extern_uid
via UI (on the specific user admin page) or Users API. - On GitLab.com:
- Users can unlink and relink their accounts following the NameID changed troubleshooting steps.
- Batch update of large number of users: Support must intervene and change it (internal).