SCIM sync issue

Summary

As of yesterday or today, numerous Azure AD Group SAML setup with SCIM set up are having issues.

Example Tickets

Internal links:

• https://gitlab.zendesk.com/agent/tickets/136406
• https://gitlab.zendesk.com/agent/tickets/136394
• https://gitlab.zendesk.com/agent/tickets/136430
• https://gitlab.zendesk.com/agent/tickets/136472

For additional context, Slack discussion

What is the current bug behavior?

Users cannot log in

What is the expected correct behavior?

Users can log in.

Probably resolution

We believe that the issue has to do with a mismatch between NameID and the id/externalID mapping attributes. Due to our implementation, users are initially created with NameID, but when AzureAD sends an update, GitLab updates the GitLab extern_uid (which should match NameID) to whatever id (or in some cases externalID) AzureAD is specifying. When trying to login after this update, GitLab expects the extern_uid it has saved, but instead receives the NameID, so there's a mismatch.

To resolve the issue, please update your mapping attributes to follow what our documentation specifies particularly for the required attributes: id, externalID, email (see docs screenshot for a look at the final mapping setup).

Once the mapping is updated and configured as per our documentation, we believe that the issue will be fixed upon the next Azure AD sync (which by default is every 40 minutes).

Output of checks

• GitLab.com, 12.5.201910210010-d92a13b6.bef851d243d
• Canary is on 12.5.201910212010-198c797e.0b24e743f01