Enabling Group Manged Accounts before linking SAML can lock owner out due to SSO Enforcement

Problem

SSO Enforcement + Group Managed Accounts can result in the owner needing to create a new 'Managed' account if they hadn't previously linked SAML. As this new account will be a Guest it can result in no users being able to sign in as Owner, making it impossible to turn enforcement off.

Steps to reproduce

  1. Enable feature flags: :enforced_sso, :enforced_sso_requires_session, :group_managed_accounts and :sign_up_on_sso.
  2. Sign in with password and create a group
  3. Do not use SAML to sign in yet.
  4. Configure SAML with Group Managed Accounts (first enable SSO enforcement)
  5. Save SAML settings
  6. User is asked to link SAML
  7. User is asked to create a new managed account
  8. (Email may conflict due to #13481 (closed) / #37929 (closed))
  9. New account is created, but does not have owner access. Original account cannot access the group due to SSO Enforcement.

Workaround

Ensure SAML is linked to the owner account and has been used to sign in before enabling Group Managed Accounts

Screen recording

In the following video I set up Group Managed Accounts. The first group I linked SAML beforehand and was able to continue using the non-managed Owner account. In the second group I hadn't linked SAML so enforcement caused me to need to create a new Group Managed user, which ended up as a guest.

Configuring Group Managed Accounts, first with SAML linked, then without

Edited by James Edwards-Jones