Hide ability to invite members to groups where SSO is enforced

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Problem to solve

When SSO is being enforced while using Group SSO, we also restrict that group and its children from manually adding members.

We should also hide the ability to invite members via the UI, or at least add messaging that this functionality is restricted or an error explaining why an invitation won't send. Currently, it fails silently.

The Invite users form does not work as expected if SSO Enforcement is enabled on the group it's being used from. At present it seems to simply serve as a way to invite users to sign-up for a GitLab.com account if they don't already have one, and the generated invite doesn't explain to the user how to then join the group, which in these cases require the user to run through the steps outlined in - Linking SAML to your existing GitLab.com account.

Example

• If SSO Enforcement is disabled on a group, then the Invite members form works as expected. When trying to add a user based on username, you'll see matches populate in the dropdown list. Likewise, if you enter an email address into the form, an invite email is sent out to the email address.

• However - If SSO Enforcement is enabled on a group, the downdown list will never populate when you enter in usernames. You'll see an error message stating No matches found. This occurs even if you specify an exact username that you know exists on GitLab.com. You won't be able to click Invite.

• If you specify an email address and it's already associated to an existing GitLab.com account, you'll see an error message that states The member's email address is not linked to a SAML account after clicking Invite.

• If you specify an email address and it's not already associated to an existing GitLab.com account, you can send an invite. The email that is sent out to the user tells them they're invited to join the group the invite was sent from, however this only ever leads the user to create a GitLab.com account, and it doesn't actually guide the user through how they can become a member in the group that triggered the invite. The user won't be a member of the group after registering a GitLab.com account since the group is behind SSO Enforcement.

• Inside the group itself, the invited user will appear under the Invited tab within the Group members - however this doesn't really seem to be of meaningful consequence when the user has not been informed that they'll need to take further action to join the group they were invited to, such as by running through the steps to Linking SAML to an existing GitLab.com account

Intended users

Related Support Tickets (internal)

• https://gitlab.zendesk.com/agent/tickets/138881
• https://gitlab.zendesk.com/agent/tickets/306120

Links / references

• Invite members / Add users to a group
• SSO Enforcement
• Linking SAML to your existing GitLab.com account