SAML should fall back to Default role if not in Group Sync at top-level group
Proposal
At the top-level group, if SAML Group Links are used, the group maintainers must ensure they create sufficient group links for all users that would sign-in via SAML. If they don't, users that aren't in any linked groups will be able to authenticate successfully but will immediately have their access and SAML identity removed.
This has caused a lot of customer confusion. For example, a customer might want all their users to be Minimal Access
or Developer
level but add a SAML Group Link to cover Maintainers
. This won't work currently - if they add only a Maintainer
group then all other users will be removed. They would need to add other groups covering all users within the top-level group.
With that in mind I think it makes sense to move the user back to the default role if they don't match the given top-level group links. This isn't a security problem because SAML Group Sync only happens when the user has already successfully authenticated via SAML.
This will create a better experience for users and cause less confusion for GitLab.com admins/maintainers.