When SAML and/or SCIM is Enabled, Users Outside the Organization should not be able to be added
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Proposal
As an administrator, I want to have ultimate control over the users that can be added to my GitLab instance so that I am not paying for seats I didn't intend to.
When I have SAML/SCIM configured, I want the option for only users that originate from the provider and/or SCIM to be added.
Considerations
- This should be optional - there are many use cases for wanting both external users and users originating from the provider to co-exist
- Is this an admin level configuration, or should it sit at a different level? Ex: Some groups may want to add external users, others not.
- Does an invited account generate a billable seat?
Context
This came from a customer who is struggling with users being added (and therefore automatically increasing seat count) when groups are invited to a project.
When a single member is invited to a project, the seat is not consumed until that user interacts with GitLab. With group invites, all of the members of the group are automatically added to the project.
This has led to the customer having to do manual intervention to delete these users that never actually logged in in order to reduce their seat count.