Return correct error when Group SAML JIT provisioning fails
What does this MR do and why?
Related to #396696 (closed)
Return correct error when Group SAML JIT provisioning fails
When Group SAML JIT provisioning fails due to missing email address, return a proper error message rather than incorrectly saying an account already exists.
GroupSAML::User currently returns nil rather than return a user object with errors. We then treated any nil return value as evidence that a conflicting user already exists. But there can be any number of reasons an user is invalid, including that the provider didn't send an email address. Instead of circumventing the return value, return the user object so we can show the user reasonable error messages.
Of note, this change also directs the user back to the Group SAML sign-in page for all errors other than for when a matching user already exists. This is to allow a user to link their existing account by signing in using Standard or global OmniAuth providers. Otherwise, it doesn't make sense to direct the user to the root sign-in page and we should instead send them back to the Group SAML page where they came from.
This change includes a feature flag since this change is in an area that could affect GitLab.com customer sign-in. We can turn off the feature flag anytime to revert to old behavior.
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
Note: The "before* error message still appears but only if the user is actually already taken, vs. current behavior where it is also shown when an email address is missing.
| Before | After |
|---|---|
 |
 |
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.