Skip to content

GitLab Next

Why GitLab
Pricing
Contact Sales
Explore

Sign in
Get free trial

Allow SCIM to create an identity for an existing user

Review changes
Download
Patches
Plain diff

Drew Blessing requested to merge dblessing-scim-create-regression into master Mar 30, 2020

Overview 29
Commits 1
Pipelines 9
Changes 4

What does this MR do?

Fixes #212721 (closed)

This change accomplishes two things:

Closes a gap compared to the prior "combined SAML + SCIM identities" feature whereby SCIM could associate with an existing SAML user/member. With the new SCIM identity this couldn't happen because the SCIM user create process wasn't looking for existing users or existing SAML identities.
Allows SCIM to automatically associate with any GitLab.com user by email address, only when :scim_identities feature is enabled. We can't do this for security purposes when SAML and SCIM identities are combined, because that would lead to account takeover. Now that SCIM is separate and cannot be used as a login mechanism, we're more free to automatically make those associations.

The second was actually a side-effect of making the implementation simpler. If we had tried to only accomplish the first, we would have had to do more lookups and matching with SAML identities. The actual implementation here is irrespective of the SAML identities.

The process now looks like:

If a user, identity, and member already exist, return with success.
If a user and member exist, add an identity.
If a user exists but not member or identity, create member and identity.
Finally, if none of the above, create a user, identity and member.

The various methods for identity, member and user were made dynamic so they either find an existing object or return a new/built one depending on appropriate conditions.

Screenshots

Does this MR meet the acceptance criteria?

Conformity

Changelog entry
Documentation (if required)
Code review guidelines
Merge request performance guidelines
Style guides
Database guides
Separation of EE specific content

Availability and Testing

Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process.
Tested in all supported browsers
Informed Infrastructure department of a default or new setting change, if applicable per definition of done

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

Label as security and @ mention @gitlab-com/gl-security/appsec
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
Security reports checked/validated by a reviewer from the AppSec team

Edited Apr 08, 2020 by Drew Blessing

Merge request reports

Assignee

Reviewers

Request review from

Time tracking