Questions for instance-level SCIM

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

While working on instance-level scim endpoints for (MR), some questions came up about the plan for instance-level scim as a feature. I could not find answers to these questions in @bdenkovych's original high level plan for instance scim nor in the epics (epic 1, epic 2) for instance scim.

Because I was working on it near the end of a week before I took PTO, I decided to write down these questions in the form of an issue. If the answer to any of these questions is "yes, we need to address this" then an issue should be created for that feature/topic/

Questions:

1. "Allowed domains" (feature with name group_allowed_email_domains) are a group-level feature so not relevant to instance-level scim, right?
2. We are not setting the provisioned_by_group attribute on users who are provisioned by instance-level scim. Is that problematic? Should we have something similar?
3. We have a constraint that the last group owner cannot be de-provisioned by group SCIM. Should we do something similar for the last instance admin cannot be deprovisioned by instance scim?
4. Are we going to allow more than one configuration per instance? Currently there are no constraints.
5. Do we want to be able to link scim and saml identities for instance-wide scim like we can with group scim? https://docs.gitlab.com/ee/user/group/saml_sso/scim_setup.html#link-scim-and-saml-identities