Use email in response during new user flow when forcing use of dedicated credentials with Group SSO
Problem to solve
While we're introducing a new user flow for new users who are SSOing into a SAML SSO configured group, we should also consider the case when a group wishes to restrict the use of outside e-mail addresses.
Since we prompt the user for an email address on registration, we should simply use the email address that we receive for the new user in the response we receive from the identity provider. Since this is a dedicated user account specific for that enterprise, the user should be unable to change their address away from this address.
Thus, the user's work with that group stays appropriately isolated.
Proposal
- When a group is requiring dedicated credentials in the settings for a group:
- Remove e-mail address from the registration flow.
- On creating the new user, set the e-mail address to the e-mail address we receive in the identity provider's response (
saml:Attribute Name="mail"?). - Check this on every SSO, in case it has changed. If so, update the associated email address for the user and inform them with a banner that this has occurred.
As defined in https://gitlab.com/gitlab-org/gitlab-ee/issues/5332, the user should be unable to change their e-mail address away from this address for notifications.