JIT provisioning for new users with Group Managed Accounts
Problem to solve
When an enterprise adds a new user to their identity provider, that user may or may not go on to use GitLab. Similarly, when a new user interacts with an SSO URL for an SAML SSO configured group, they may not have an existing account.
Especially when a group is enforcing unique credentials, we should support just-in-time provisioning when the user logs in via identity provider. This would automatically create their user, associate it with the email address in the response, and redirect them to their group's page for a fast and great experience with no registration steps.
Further details
See docs for Salesforce and Slack
Proposal
- If the configured group is enforcing unique credentials (enforced group managed accounts):
- If an existing user for that group with that email address is not found, register a new user immediately:
- Automatically assign a username and redirect the new user to the group's overview page with a welcome banner.
- If an existing user for that group with that email address is not found, register a new user immediately:
Links / references
Edited by Cynthia "Arty" Ng