SCIM get users endpoint should search for users by truncated email address
The SCIM Get Users endpoint currently searches for users by extern_uid
, username
and any email address. See https://gitlab.com/gitlab-org/gitlab/-/blob/f0adb9d54f72892a101f88a3449e13ae7ce7aa16/ee/app/finders/scim_finder.rb#L46 and specifically https://gitlab.com/gitlab-org/gitlab/-/blob/f0adb9d54f72892a101f88a3449e13ae7ce7aa16/ee/app/finders/scim_finder.rb#L75
The latter method above should also fallback to lookup a user by a truncated email address. Here are the possible ways a SCIM provider might send a username filter:
- Using the
extern_uid
that the SCIM provider uses to uniquely identify the user. - Using the
username
which maps exactly to the GitLab username. This would be correct in case the SCIM provider sends an exactusername
attribute and not an email address upon user creation. - Using the
email
attribute. This would work in case the user has the same email address set as their SCIM username and also set on their GitLab account. - NEW case: Using a truncated email address. We should add this because a SCIM provider might send an email address as the SCIM username upon creation. When GitLab creates the user it truncates the email address and keeps only the local part. In cases where the email address sent as the username is not the same as the one sent as the actual email attribute (we have a customer with this specific case) then a subsequent lookup will fail.
We can add this as a third condition at https://gitlab.com/gitlab-org/gitlab/-/blob/f0adb9d54f72892a101f88a3449e13ae7ce7aa16/ee/app/finders/scim_finder.rb#L76