SCIM create endpoint may save SCIM identity while membership addition fails
There is a case where the SCIM create user endpoint may successfully create a user's SCIM identity but fail to create the group membership.
This does not happen for users that do not yet exist in GitLab. Those users will be successfully created with both their SAML and SCIM identities as expected. The problem occurs for users that pre-exist in GitLab and when SSO enforcement is enabled.
In this case, the SCIM create endpoint attempts to create the SCIM identity and add the user to the group as a member. If the user has not previously authenticated to the group via SSO they will not have a SAML identity and the group member addition fails.
Pre-requisites
- Group must be configured for both SAML and SCIM and have SSO enforcement enabled
- User must already exist in GitLab
- User must not have already signed in to the group via SSO (they do not have a SAML identity
I believe the bug occurs at https://gitlab.com/gitlab-org/gitlab/-/blob/f0adb9d54f72892a101f88a3449e13ae7ce7aa16/ee/lib/ee/gitlab/scim/provisioning_service.rb#L43. In this method the identity is saved first, followed by the group member. Since this is not transactional it's entirely possible the SCIM identity is saved successfully and then the member addition fails.
It should be noted that we do return an error to the SCIM provider (such as Okta) in this case. Specifically, it says the user could not be added because they must have a SAML identity.
At the very least we should flip these calls around so we add the user first, and only save the identity if all else is successful.