SCIM docs: Feedback and clarifying questions from customer
As of creation, the issue is a copy/paste of feedback and questions from a particular customer (with the name redacted). This will require cleanup on what is actionable and a proposal on what to change.
Feedback
SSO docs do not tell a "story" that pieces together the user journey for SSO
Response: should it? The docs focus on an "admin" configuring SSO, not the user flow.
Questions
2FA questions
- I enabled this setting when SSO wasn’t setup. What’s the user impact when SSO is enabled with SCIM?
- There’s a grace period configuration for 2FA enablement. How is this impacted by SCIM?
- What happens to users that do not have 2FA enabled when this is enforced?
- Is this even necessary if there’s a 2FA on the IdP and we’re enforcing SSO logins?
Note: Not sure how 2FA would be related/impact SSO.
User Life Cycle
- When SCIM creates a new gitlab.com user account, is there any notification to the user that an account has been created for them?
- If the above is true, do I even need to add the domain restrictions as the users won’t be able to log into the Group? The only caveat I can think of is if I don’t enforce SSO for git operations would those user be able to interact with the repos via their SSH keys?
- May have asked yesterday, my understanding is that will everyone accessing the Group be forced into SSO login flow when accessing the Group and they will need to authenticate to the IdP. Is that true?
- What is the impact of Enforcing SSO login for users who are already members of the Group/Sub-Group? Will they be automatically removed if they’re user account isn’t associated with their company email address?
- Will SCIM automatically remove current user that don’t have their company email accounts associated with their gitlab.com accounts when I first enable it?
- Some large organizations have an automated script that will deactivate users that have no activity after a certain time period. How does that script get impacted if we use SCIM? Will SCIM automatically re-enabled the user?
- SCIM will automatically remove uses from the Group/Sub-Group and deactivate the user.
- What does ‘deactivating’ a user mean when using SCIM?
- What’s the impact of deactivation on users that created their own accounts vs. users that were created by SCIM?
- Will they still be forced into the SSO login flow since their account email matches company domain
- Will the users that created their own accounts still be able to log in to their gitlab.com account with their old password?
- Will users that have SCIM created accounts be able to reset their gitlab.com password so they can login without SSO?
- For users that already have GitLab.com accounts
- Once we enable/enforce SSO, will they be able to use their non-SSO passwords to access their account when they are not viewing our Group?
- What happens to users who have gitlab.com accounts tied to their company email addresses but are not members of the Group? Will they be forced to login with SSO?
- For users that have their gitlab.com accounts created via SCIM
- What is their login experience like when they are trying to access gitlab.com resources that are outside of our Group? Will they be asked to authenticate?
- If so, what will they use to authenticate with and do they still have the 24hr limit on their session?
- You documentation provides details on how to users can Unlink their account from SAML.
- How does this work when we have SCIM enabled?
- Do we need to have users manually unlink their accounts when we deprovision them?
See also answers in (internal) doc: https://docs.google.com/document/d/1Q0RCE9rshoS9zE97QOgJERQE6ztfulNs6DXIkziMbPg/edit
Edited by Cynthia "Arty" Ng