Skip to content

Direct Transfer - User/accounts on Gitlab.com need to be verified and linked to SAML SSO (if enabled/enforced) before reassignments to Placeholders

Description of issue:

When running a Direct Transfer migration into Gitlab.com, Placeholder users are created at the top-level group, which then need to be reassigned to users/accounts on Gitlab.com.

If groups have SAML SSO set up, the accounts on Gitlab.com need to be verified and linked to the group's SAML SSO before reassignment to their Placeholders. If this is not done, membership validation will fail and membership relations will not be created correctly on Gitlab.com.

Currently, owners can choose unverified users and we don't show anything in the UI when owner tries to reassign to unverified user. The current restrictions that the user group owner can select are user.active? and user.human? and user.admin? if allowed in the settings.

Refer to slack thread here for additional context.

Docs have been updated with sentence: "If you import to GitLab.com and use SAML SSO for GitLab.com groups, all users must link their SAML identity to their GitLab.com account before you start to reassign contributions and memberships. Otherwise, memberships cannot be validated and relations are not created correctly on GitLab.com."

Proposal

  • During reassignment of Placeholder users to accounts on Gitlab.com (in the reassignment panel), the service should check for membership/account validation.
  • If an error is returned, this should be displayed to the group owner doing the reassignment.
  • Reassignment should not proceed.

When an owner tries to reassign to an unverified user, show an info message with:

  • why did it failed - user didn't verify their account yet
  • owner should reach out to user
  • owner should try at the later time.

"Unable to reassign contributions. @username must verify their account. Try again after verification is complete."

When an owner tries to reassign to an unverified user via API, show the message to owner.

When an owner tries to reassign to an unverified user via CSV, show the message to owner in the list of errors/warning sent to them after CSV upload.

The current error response on the backend is below:

Validation failed: The member's email address is not linked to a SAML account or has an inactive SCIM identity. For information on how to resolve this error, see the <a target="_blank" rel="noopener noreferrer" href="/help/user/group/saml_sso/troubleshooting_scim.md">troubleshooting SCIM documentation</a>.

Edited by Magdalena Frankiewicz