Skip to content

Allow group owners to update group members' SAML (and SCIM) extern_uid via API

Problem to solve

In the past, we recommended using the SCIM API to update users' extern_uid (called identity in the web UI), but the SCIM API is used internally (within the system) and was not meant for users to use.

Our current documentation instructs users to re-link their account. However, this resets the user's roles in the group (including subgroups and projects). As such, after relinking they're a Guest (or default role) in the parent group and that's it.

Additionally, if a group changes SCIM providers or the NameID changes, SCIM identities need to be manually updated or deleted which is possible via the SCIM API though this API is not meant for the end user.

Intended users

Personas are described at https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/

User experience goal

Group owners and/or admins of an organization's SAML provider can update users' extern_uid on their behalf if the SAML configuration changes.

Potentially, allow users to update this themselves via API as well.

Proposal

Provide an API endpoint to allow group owners to update the SAML extern_uid on users who have been provisioned by group.

Permissions and Security

  • expected impact to Owner (50) members

Documentation

Update relevant troubleshooting docs:

Availability & Testing

TBD

What does success look like, and how can we measure that?

  • users can update extern_uid themselves
  • support no longer gets related tickets on this particular issue

What is the type of buyer?

Currently affects all Silver and Gold customers.

Links / references

Workarounds

  1. On self-managed, an admin can change the SAML extern_uid via UI (on the specific user admin page) or Users API.
  2. On GitLab.com:
Edited by Cynthia "Arty" Ng