Automatically link users with existing accounts and verified domain email to organization's SAML and make them member of org top-level group

Proposal

A user has a local GitLab.com account that is not regularly used and is not SAML linked to the organization (perhaps they left the org and rejoined later, perhaps they created a local account for trying out GitLab a long time ago).

The account's primary email address belongs to the org's verified domain and there are no secondary email addresses configured. They no longer have access to their local account password.

The user now needs to login using SAML and work in the org's namespace. When they go to the SAML login page and enter their SAML account details they are presented with a message There is aready a GitLab account associated with this email address. Sign in with your existing credentials to connect your organization's account and are expected to log in to their local account and Authorize the SAML linking.

Before they can do this they must reset their forgotten password via the Forgot your password link and resulting email and then login and authorize the SAML. They may even have forgotten they ever had a GitLab.com account and be quite confused by this process.

When a new user (without an existing account) logs in via SAML the user account is created automatically and with a verified domain there is no additional step required - the user is just logged in and made a member of the top-level group.

This one-step experience could be replicated for users with an existing account if we treated the existing account as already being within the scope of the organization's enterprise users by virtue of having a primary email address in the verified domain, no other email addresses and the email being associated with a SAML account that the user is able to log in successfully using. Then when the user authenticates via SAML the existing account is linked automatically and the user is made a member of the top-level group and logged in.

There may be security and account ownership issues with this proposal that I have not considered and which rule this proposal out - if so it would be good to record them here for future reference.