SAML Group Sync should include Minimal Access at top-level
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.
Release notes
Problem to solve
When using SAML Group Sync, we warn users that users not in a group will be removed. The current solution at the top-level is to have everyone in at least 1 group. However, Minimal Access is not an option for Group Sync roles.
This can cause odd access issues, such as in https://gitlab.zendesk.com/agent/tickets/219713 , where it looks like what's happening is that when a user signs in, they're removed from the top-level because they're not in a SAML Group, but readded through the SAML Default Role. The problem is that the user gets a 404 when they first sign in due to the initial removal.
Note: The behavior in which the user is readded to the Group via the SAML Default Role is not consistent on all the cases.
Proposal
Add Minimal Access role to the top-level SAML Group Sync list of possible roles.
What risks does this change pose to our availability?
This is a low risk feature for GitLab.com and self-managed availability.
What additional test coverage or changes to tests will be needed?
- When minimal access is selected as an access level, all users not part of a Group in the IDP are added to the group with minimal access and that they are able to sign-in correctly.
- When a minimal access group link is not available/set, users not part of a Group in the IDP are removed from the top level group. In this case ensure, that they do not see a 404 when they try to sign-in.
Will it require cross-browser testing?
N/A