Automatically update SCIM group associations when SAML group links are added or removed

Problem

When using SCIM group sync, the SCIM group ID is only associated with SAML group links during the initial POST /Groups request from the IdP. If you add new SAML group links with the same group name after this initial provisioning, those new links don't get the scim_group_uid and won't be affected by SCIM membership updates.

Current workaround

Users need to re-provision the SCIM group in their IdP (delete and recreate the SCIM group provisioning) to re-associate all current SAML group links.

Proposal

Automatically update SCIM group associations when SAML group links are added or removed in GitLab. This would eliminate the need for manual re-provisioning in the IdP.

When a SAML group link is added, check if there are existing group links with the same saml_group_name that have a scim_group_uid, and associate the new link with the same SCIM group ID.

Related

• https://gitlab.com/gitlab-com/request-for-help/-/work_items/3618+ (confidential)
• Group Sync using SCIM for Self-managed (&15990 - closed)