NameID configuration changes on (Group) SAML identity providers occur too frequently
Problem
Multiple customers have had problems with SSO due to the NameID being provided from the Identity Provider not matching the details we have stored. It is essential the NameID does not change as we rely on this to identify users. For SAML a change here leads to users being unable to log in and not knowing why. For SCIM this can lead to new duplicate users being created because it appears the user does not exist.
We need to do more to help customers avoid this, both by improving our documentation to make the requirement clear and if possible by preventing it in the product.
Related
Possible solutions
Docs:
-
Document a strong bold warning that changing NameID configuration will break SAML SSO (#33706 (closed)) -
Where we recommend using objectid as the NameID we should also note not to change an existing value if users have already signed in. (#33706 (closed)) -
Re-arrange docs so NameID section immediately follows initial configuration instead of being after enforcement and group managed sections (#33706 (closed)) -
Make it easier to recover from NameID changes (#33378 (closed))
App:
-
Make it easier to notice this is the problem by providing more descriptive error messages instead of "User has already been taken" (#33713) -
Ideally have an automated way of detecting when NameID structure has changed. Possibly an error when using the Test SSO button, possibly by detecting a change in NameID Format. -
We could show a warning when NameID format is 'email' or 'transient' as these are more likely to change. (#33714 (closed)) -
We could try to detect the presence of usernames or emails, possibly by looking at entropy, and show a warning when testing SAML. We advise an opaque/randomly-generated ID, but having a warning while setting SAML up would reduce the risk of this being changed later on. (#33714 (closed)) -
Show the SAML response when using the test button. By exposing this information to group admins early on we might help them solve other related issues. (#33714 (closed))
Other:
-
Get GitLab listed as an app for each identity provider to reduce the change of NameID misconfiguration. (#12251)