Keep SAML Identity when deprovisioning via SCIM
Currently on SCIM deprovision we remove the user's SAML identity and set the SCIM identity to active: false
. But this means that if a user is reprovisioned they have no SAML identity and they cannot sign in. For enterprise users without a local GitLab database password lose access to their account and it cannot be reprovisioned/associated properly.
I see no reason why we can't leave the SAML identity when we deprovision via SCIM. On deprovision we remove the user from all group/project membership. Generally, the user is also unable to sign in again via SAML because they've been deactivated from the IdP, which is what caused the SCIM deprovision anyway. Also, currently if a user does know their local password and if somehow they could still sign-in via SAML they could reassociate their account anyway. I don't think we risk anything security-wise with this change.
It will also be helpful once we roll out features such as Add new setting for enable/disable password Aut... (#373718) and other enterprise features like Enterprise Users - MVC: Automatic Claim of exis... (#322039 - closed)