Persist "Groups" attribute statement from SAML response for debugging/troubleshooting
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Proposal
As discussed via this (internal only) ticket, it would be really helpful in a lot of different scenarios to persist the "Groups" attribute statement from SAML responses.
Debugging SAML related issues is currently difficult, but some of the overhead can be mitigated by simply persisting some of the attribute statements in the SAML response. Since the whole response should never be logged, the scope of this feature request is specifically focused on the "Groups" attribute statement, though depending on the implementation, it may make sense to simply log all consumed values.
The values are meant to be accessible to instance administrators only, but there may be a better solution that can also help users in GitLab.com by making the information available for namespace owners and enterprise user accounts.
For clarity - the current "Identities" section in the administrator view shows valid memberships granted via Group SAML, but doesn't help in cases where groups are missing or mismatched.
These could potentially be logged under custom attributes, audit events, or identities, but making this information available to administrators will improve the overall experience when troubleshooting SAML related issues.