Investigate open items on group-level SSO: group membership revocation and other questions

Description

Before we can tackle the other items in &95 (closed), we should investigate how we're going to approach these issues. The biggest questions we have revolve around:

• Revoke group membership if a user is removed from SAML identity provider

  • How do we approach this?
  • How do we handle passive features that don't require interacting with the web interface (e.g. email notifications, git)?
  • How do others handle these issues?

• Force users to reauthenticate after 24h timeout

  • Where do we set this period?
    • Can we set this based on something we get in the SAML response, or do we need to keep track of this separately?
  • If we keep track of this separately, how do we check for this before the user takes an action on GitLab.com in a comprehensive way?

Links / references

Previous epic (basic SSO for groups): &40 (closed)