Permit multiple email addresses during user provisioning via SCIM

Release notes

With this update, it is possible to specify one or more additional email addresses for automatic association with an account at the time that account is provisioned via SCIM. It is no longer necessary for this to be done after the account has been created.

Problem to solve

Today, we use emails[type eq "work"].value as the email address when provisioning a user via SCIM.

In SCIM, emails is a multi-value attribute. Users may have one or more additional email addresses. Today, they have to add those addresses manually after their account is provisioned via SCIM.

Proposal

Adjust the way GitLab handle SCIM provisioning to consume all email addresses associated with a user.

I believe that there are two cases to cover:

In addition to adding the primary email address with a type of work, also add:

• Multiple emails where the type is work (and only one if the primary)
• Multiple emails where the type is not work

📚 Info/Resources

• RFC7644: System for Cross-domain Identity Management: Protocol

The SCIM API accepts a field called emails and describes it as Work email.

• We should also clarify whether multiple email addresses are accepted by this system-only endpoint.

Intended users

• Cameron (Compliance Manager)
• Delaney (Development Team Lead)
• Sidney (Systems Administrator)
• Alex (Security Operations Engineer)

Feature Usage Metrics

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.