Groups SSO SAML: Disable SSO (enforce) if plan expires
Problem to solve
When a group's plan expires or is otherwise no longer Silver+, we should disable SAML or at least SSO enforce so that group member management is not blocked.
Came up in the following tickets (internal):
- https://gitlab.zendesk.com/agent/tickets/135324
- https://gitlab.zendesk.com/agent/tickets/135839
- https://gitlab.zendesk.com/agent/tickets/141724
Proposal
Disable SAML but keep all the information so that a group owner can simply turn it back on.
What happens with the SAML identity if the SAML config is disabled and re-enabled? If this is a problem, we should at least disable enforce SSO (and keep SAML on).
Permissions & Security
Consideration: group members can be added manually once SSO enforced is turned off. Perhaps we should display a banner or some such for a short number of days? Or would we expect users to understand that this is the case since the plan has expired?
Documentation
Add a note to https://docs.gitlab.com/ee/user/group/saml_sso/
What does success look like, and how can we measure that?
Groups who set up Group SSO for testing can still manage members after plan downgrades.