Entra ID create request for existing user fails with error when SCIM identity is inactive
Summary
When a GitLab user has a valid SAML identity and a valid SCIM identity, and they are removed from the Entra ID SCIM application, we mark the user's SCIM identity as active: false
. However, if the user is re-added to the app, Entra ID sends a create
action, we return a status 412
with the error message:
The member's email address is not linked to a SAML account or has an inactive SCIM identity.
This requires a group owner to use the internal SCIM API to set the user to active: true
so that the user can use their account again.
This is at a minimum an annoyance for end users and group owners (GitLab team members, see Zendesk ticket #475480), but I also think it goes against the SCIM RFC:
In addition, the service provider SHOULD NOT consider the deleted resource in conflict calculation. For example, if a User resource is deleted, a CREATE request for a User resource with the same userName as the previously deleted resource SHOULD NOT fail with a 409 error due to userName conflict.
We're currently failing a create
request with a 412, which is conflict with the definition above.
Steps to reproduce
It's not clear if this happens 100% of the time, but I suspect that it does. The below steps are unverified but should reproduce the issue.
- Configure Entra ID SAML and SCIM for a top-level GitLab group
- Add a test user to the group assigned to the SAML and SCIM app
- Initiate a manual SCIM sync or wait for the next scheduled sync
- Once the user is provisioned, confirm that you can sign into the account using SAML
- Remove the user from the group assigned to the app
- Initiate a manual SCIM sync or wait for the next scheduled sync
- Ensure that the user still has a SAML and SCIM identity
- Ensure that the user's SCIM identity is listed as
active: false
- Re-add the user to the group assigned to the app
- Initiate a manual SCIM sync or wait for the next scheduled sync
- Observe the error message in the logs
Example Project
I don't have an example project right now, but I would love to reproduce this on a call (or async-ish) with an auth engineer :)
What is the current bug behavior?
Entra ID cannot properly re-activate a user's SCIM identity, which creates problems with group membership and account usage.
What is the expected correct behavior?
The user should be set to active: true
when re-added to the Entra ID group associated with the SCIM app.
Relevant logs and/or screenshots
For the logs, please review the ticket. In the event that I reproduce this, I will upload a sample log.
Output of checks
This bug happens on GitLab.com
Possible fixes
When we receive a create
request for a user (email) that already exists, we should set the user to active: true
as long as:
- The user has a SAML identity
- The user has a SCIM identity that
- Is inactive
- Has a matching
extern_uid
Otherwise, we should return a descriptive error that includes the conflict