Add the ability to control who can authenticate to a group using SAML only when they have a SCIM identity
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Proposal
Customer is seeking the ability to control who can authenticate to a group using SAML only when they have a SCIM identity.
Description
Dependency of SCIM on SSO does not help here as there is no way for SSO to check that the SCIM Identity exists for authenticated users.
At times user may not have a SAML identity; when signing in through SSO they are granted one. This user is now a member of the customer group, but will not be controlled by SCIM if their SCIM implementation does not cover every user that can successfully authenticate through their SSO.
In this case, once this user leaves the company, SCIM won't be able to de-provision them as they were not provisioned with a SCIM identity so they will remain a member and the personal access tokens and SSH keys would still have access through that group membership (customer does not have the setting "Enforce SSO-only authentication for Git and Dependency Proxy activity for this group" enabled due to their pipelines setup)
Impact
Customer is currently limited on SCIM implementation expansion. With this feature, they would be able to restrict the authentication/SSO side while they work on implementation blockers.
Having this feature would reduce a large overhead for customers with these limits as they attempt to manage users as they come and go.
-->