Expose SAML state via Members API
Problem to solve
Group owners can see if a user has SAML tied via the UI, but not via API.
For group owners to check this, currently, it's visual only and very error prone. Doing it via API can help group owners pull a list of all unconnected users.
Intended users
Group owners
Further details
Take gitlab-silver members as an example, you can see the following via the UI:
Based on the SAML badge, any group owner knows that this user has their SAML account linked. However, the API does not provide any information on the state of SAML via the Members API.
API result via Members API for the same group and user:
{
"id": 4366784,
"name": "Test And-Last",
"username": "test-with-first-and-last-name",
"state": "active",
"avatar_url": "https://secure.gravatar.com/avatar/22c29ea9681c0d04f153a8141c35da03?s=80&d=identicon",
"web_url": "https://gitlab.com/test-with-first-and-last-name",
"access_level": 10,
"expires_at": null
}
Proposal
Provide a SAML connected state, such as "SAML_provided": true
(or false).
Permissions and Security
Since this is already exposed to owners via the UI, this should pose no extra risk.
Documentation
Propose:
- edit example API response in Members API page to include SAML info output: https://docs.gitlab.com/ee/api/members.html
- add note in Groups SAML doc on seeing state via UI and API: https://docs.gitlab.com/ee/user/group/saml_sso/
What does success look like, and how can we measure that?
Group owners can self serve to get an accurate report instead of asking support.