Implement prototype/PoC for SCIM group sync

Implement prototype/PoC for SCIM group sync

Problem

We need to explore and validate different approaches for implementing SCIM group synchronization between identity providers (like Okta) and GitLab self-managed instances. The two main approaches being considered are:

1. Extending the existing /Users endpoint to handle group memberships through user attributes
2. Implementing a basic /Groups endpoint to handle group operations directly

Currently, there is no clear path forward as both approaches have technical challenges that need to be validated through prototyping.

Proposal

Create a proof-of-concept implementation that will:

1. Test extending the /Users endpoint:

• Add group handling to existing SCIM user provisioning
• Parse group data from SCIM payloads
• Manage group memberships through user updates

2. Implement minimal /Groups endpoint:

• Basic SCIM group operations
• Focus on membership sync rather than full group management
• Handle group mappings between IdP and GitLab

3. Document findings:

• Compare both approaches
• Identify limitations and challenges
• Recommend path forward for final implementation

The insights from this prototype will guide the full implementation strategy for SCIM group sync.