►
Description
In this session, we pair up on keeping SAML identity when deprovisioning via SCIM
https://gitlab.com/gitlab-org/gitlab/-/issues/379149
A
Nice,
okay,
so
we're
just
talking
about
this
trying
to
understand
the
lay
of
the
land
here
for
this
issue.
So
we
have
skim
and
we
have
saml.
Skim
is
used
to
create
and
remove
users
so
skim
with
de-provision,
a
user.
So
say
we
say:
okay,
this
person
is
no
longer
at
our
company
or
in
our
department.
We
want
them
removed
from
git
lab.
We
remove
them
from
this
system
over
here
this
skim
system,
and
then
we
have
skin
set
up
with
Git
lab
and
so
that
syncs
over
to
gitlab
and
removes
the
user
from
gitlab.
A
But
it
looks
like
what
it
really
it
doesn't
remove
their
skim
identity.
It
sets
it
to
active
false
and
then
it
deletes
their
saml.
Identity
are
different,
different
systems,
so
the
problem
with
that
is
that
if
the
user
is
reprovisioned
with
skim
so
say
we
have
a
boomerang.
The
person
comes
back
to
the
company
or
something
then
they're
reprovisioned,
but
there's
no
saml
identity.
I,
don't
know
why
that
would
be.
But
that
is
what
this
issue
is
claiming.
C
B
A
A
A
So,
but
you
don't
have
to
have
a
password
okay,
so
this
is
saying:
let's
just
leave
the
saml
identity
alone.
Whatever
thing
is
deleting
a
saml
identity,
let's
just
leave
it
alone
when
they're
deep
version
via
skim.
A
So
we
just
have
to
find
where
this
deletion
is
happening
and
stop
doing
it
and
then
update
any
related
tests
seems
doable
yeah,
so
I'm
going
to
create
a
branch
over
here
is
my
how's,
my
size,
thicker,
smaller.
A
D
I
was
really
like
when
we
get
people
that
are
Community
contributors
or
my
team,
we
don't
get
them
often
enough
and
they
want
more.
Thank
you.
B
A
A
A
This
is
the
D
skim,
deep
provisioning
service.
This
is
the
group
skim
deep
provision.
You
could
even
have
instant
skim
or
Group
scam.
A
That
is
different
from
the
from
what
the
issue
said,
but
also
maybe
the
issue
wasn't
100
accurate.
A
So
maybe
we
should
just
open
this
file.
This
is
good.
We
can
let's
just
open
this
file
and
see
what
it's
telling
us.
A
Okay,
I'm
just
reopen
back
end
pairs
back
end
there.
There
we
go
sweet,
so
that's
the
Mr
and
then
the
issue
is
here:
it's
possible
and
this
happens
a
lot
I
find
right.
Where
there's
an
issue
somebody
wrote
and
like.
A
If
you
take
it
too
literally,
sometimes
you
don't
end
up
making
the
correct
change,
but
because
we
remove
the
saml
identity
and
we
set
skim
identity
active
fall.
So
we
still
want
that
right.
We
still
want
the
skim
identity
to
be
active
false.
What
we
want
is
the
saml
identity
to
not
be
deleted.
B
A
C
They
covered
is
what
they
weren't
able
to
test
the
scheme
API
because
it
wasn't
working
locally,
so
they
made
the
change
without
testing
anything,
and
then
they
were
able
to
set
up
something
and
I,
don't
know
where
they
are
at
now.
A
Yeah
and
I
believe,
if
you
look
at
her
socks
on
skin,
they
mention
Azure,
OCTA
and
One
login.
If
anyone
ever
needs
to
set
up
skin
I
recommend
OCTA,
it's
so
much
easier
than
Asher.
I
have
set
up
Azure,
but
it's
really
a
long
time.
A
Octa
is
a
lot
more
user-friendly
just
for
like
the
average
developer
use
case,
so
maybe
they
were,
it
seems
like
they
were.
Maybe
trying
some
other
approach.
A
A
The
skin
maybe
yeah
I'm
using
it
here,
which
would
make
sense
that
maybe
that,
because
they
weren't
able
to
test
it,
it
would
be
a
little
bit
confused
about
how
these
two
systems
are
working
together.
A
But
Samuel
saml
is
like,
like
skin,
is
a
push-based
right,
so
skim
users
get
de-provisioned
provision
and
de-provisioned
by
this
other
system
and
saml
is
more
like
when
I
want
to
log
into
gitlab.
My
account
will
be
provisioned
via
this
saml
provider
over
here,
but
it's
not
like
a
directory
sync.
A
A
D
Yeah
I
mean
I've
had
an
okay
lock
with
giving
like
hey
here,
I,
see
you're
running
into
issues.
B
C
I
have
an
MR
and
it
passed
the
CI.
It's
ready
to
be
reviewed.
The
only
problem
is
that
I
can
make
the
scheme
working
with
simple.
B
C
Because
they're
not
updating
the
scheme
activity
active
in
active
status.
A
A
A
Add
that
you
mean
like
as
a
comment
or
yeah
I
think
so
okay,
but
they
usually
able
to
point
the
person
to
where
they
should
look.
Yeah.
D
Yeah
I
feel
like
we
can
do
some
like
digging
in
the
code
and
kind
of
be
like
here's,
where
I
would
start
and
maybe
give
them
some
links.
A
Yeah,
okay,
I,
like
that
idea,
yeah.
It's
always
a
tricky
balance
like
when
we're
viewing
code.
I
guess
like
if
it
was
an
internal
person,
I'd
be
more
Lo-Fi
to
be
like
I.
Don't
think
this
is
right,
like
you
should
just
revisit
this,
but
since
they're
a
community
contributor,
you
know
I
want
to
be
a
little
bit
more
helpful
and
like
pointing
them
because
they
are
doing
us
a
favor.
Their.
A
A
Or
the
base
deprovisioning
service
does
something:
no,
it
doesn't,
and
after
or
maybe
system
block
or
something.
A
I
bet
that
the
devise.
A
This
is
always
the
fun
part
of
anything
right
trying
to
figure
out
where
it
is
gonna
happen,
trying
to
think
of
strategies
for
figuring
this
out.
I
think
it
would
take
too
long
for
me
to
set
up
skim
and
Samuel
locally,
because
I
don't
have
those
set
up
right
now
in
order
just
to
manually
test
it,
but
that
is
something
I
like
to
do.
Sometimes
what.
A
That
I
don't
know
I'm
guessing.
Let's
see,
I
also
have
to
look
this
up.
How
do
you
and
Ruby,
where
do
you
find
where
method
is
to
find
there's
if
I
look
on
stack
over
a
world,
it's
something
I've
looked.
A
B
A
D
But
that
would
have
been
yeah.
That's
why
I
wouldn't
have
been
able
to
find
it
with
def
system
block.
It
wouldn't
come
up.
B
B
A
B
D
I,
don't
know,
I
see
it
in
the
saml
code
in
this
method,.
A
D
I,
don't
know
anything
about
what
this
code
does
the
overrode
find
user
Where
My
Views.
D
D
A
So
it's
not
that
it's
deleted!
It's
that
it's
not
reactivated
and.
C
A
A
B
D
Oh,
it's
a
identity
is
the
same
thing.
Wait
it
it's
a
method
in
there.
C
C
Oh
I,
don't
think
when
you
do
that
I
think
you
go.
You
use
the
reprovisioning
service,
so
I
wonder
why
they
try
to
search
for
an
existing
scheme.
Identity
in
here.
A
And
we
can
look
at
where
the
reprovisioning
service
is
called.
A
Where
are
you
here?
We
go
so
post
request,
right,
I,
don't
know
like
I,
don't
know
exactly
how
these
things
are
wired
up,
but
my
guess
would
be
that
some
some
skim
services
are
not
smart
enough
to
know
to
call
the
reprovision
endpoint.
They
call
the
provision
endpoint,
whether
it's
a
new
user
or
a
reprovision.
D
D
Well,
if
we
look
at
this
provisioning
service
and
see
if
there
are
tests,
if
we
write
a
test
that
says
like
I,
don't
know
the
provision
service
within
existing
something
and
if
it's
I,
don't
know
how
to
like
verbalize
this
like
pick
it
out.
Instead,
it's
inactive
whatever
I
said
it's
active
ball,
so
run
this
thing
and
see
what
it
does.
D
A
A
A
B
A
Create
skin
I
did
I
was
gonna,
see
if
Samuel
is
referenced
in
here.
There's
no
reference
to
Sam
one
here,
but
memory
provisioning
service
test,
but.
C
It
it
there's
not
even
a
Samual
identity.
C
It
yeah
because
I
did
try
to
look
for
some
little
identity
model
or
something
something
like
that,
but
I
couldn't
find
it.
I
only
could
find
a
sample
provider.
A
I
think
it's
identity,
at
least
according
to
this.
What
line
142
here?
This
is
saying
this
is
the
same
identity,
so
I
think
it's
the
identity
model.
A
B
C
B
B
A
It's
theoretically
something
that
I
should
know
about,
but
I,
don't
so
I'm
intrigued
by
the
fact
that
this
test
exists
because
I'm
like
if
so
provisioning
skin
provisioning,
does
not
create
a
saml
identity.
So
what
does
there's
no
reference
to
saml
identities
in
the
reprovisioning
service
and
then
I
guess
we
haven't
looked
at
the
D
provisioning
service
specs,
but
I.
Don't
yeah!
There's
no
reference
to
family
in
here
either.
C
No
identity
and
actual
user
because
creates
a
user,
because
the
scheme
provisioning
service
creates
this
scheme,
identity
and
a
user.
If
the
user
doesn't
already
exist.
B
A
Is
this
is
the
identity
passed
in
from
the
base
provisioning
service?
This
is
the
wrong.
This
is
a
great
one,
so
identity,
oh
wait!
Where
is
identity
coming
from
here
again?
There's
a
method
isn't
there.
This
is
a
schema.
B
B
D
Okay,
I
think
maybe
it
might
be
the
classes
group
saml
identity
hold
on.
B
D
C
D
A
A
So
group
examples.
A
It
will
and
I
don't
know
where
it's
being
modified
as
it
relates
to
scam
right
like
so.
If
something
happens
with
skin
are
those
happens
with
Samuel?
Do
we
do
something
to
the
skin,
identity
and
I?
Do
think
this
is
a
good
reminder
that
we
heavily
use
callbacks
and
get
Labs
gone
face,
which
really
creates.
D
A
D
Yeah,
the
only
thing
I
can
think
of
so
identity.update.
The
identity
we've
found
is
delegating.
A
A
Maybe
that's
maybe
that's
fine.
Maybe
these
are
just
hosted.
I
was
like.
Are
we
looking
at
the
wrong
endpoints?
That's
what
I
was
thinking
but
I
think
we're
looking
at
the
right
thing
before
yeah.
This
is
V2
API
again.
A
B
D
A
C
B
A
Although
I
the
tests
for
the
provision
were
saying
that
it
didn't
create
a
same
identity,
oh
but
I,
guess
that
was
for
an
existing
user.
Wasn't
it.
C
A
Okay:
okay,
how
do
you
want
to
go
about
finding
that
like?
Do
you
want
to
just
look
at
the
code
here?
Do
you
want
to
run
a
test.
B
C
D
D
A
A
This
this
line
that
Marco's
previous
thoughts
kind
of
led
us
to
is
interesting.
So
group
saml
identity
is
we're,
not
family
provider.
I
do
you
know.
A
A
Yeah
but
it's
the
ee
user,
let's
just
look
at
regular
user.
B
B
A
Our
we're
using
Omnia
saml
Ruby
Samuel,
like
I,
wonder
if
this
code
is
happening
in
a
library
or
something.
B
B
C
B
C
Oh
yeah
I
just
I'm,
just
using
a
code
lens
I'm
trying
to
get
to
DMR.
D
A
Very
suspicious,
so
where
is
this
called
I?
Don't
know,
find
an
update.
A
B
B
D
A
D
B
D
D
A
I'm,
like
it's
like
I
like
it,
this
is
the
kind
of
thing
where
if
I
was
looking
at
it
alone,
I'd
be
like.
Oh,
why
did
I
pick
up
this
one
player
I.
C
A
D
D
Oh
no,
I
don't
even
know
where
to
find
anything,
so
maybe
the
people
that
have
contributed
before
they're,
probably
in
a
better
State
and
they
feel
more
like
I,
do
now,
but
even
so,
like
all
of
us,
are
kind
of
yeah
we're
still
having
a
little
bit
of
problems
like
fighting
for.
A
That's
I'm
over
here,
looking
at
it
and
also
there's
ee
app
services.
A
That
is
a
good
pairing.
Okay,
so
I
think
the
action
element
is
to
get
a
permalink
to
this
line
and
ping
the
community
contributor-
and
let
them
know
that,
like
it's
saml,
this
is
what
needs
to
change,
not
the
skim,
identity,
piece
and
I'll.
Let
them
know
that
it
took
three
experience:
Gate
lab
developers
an
hour
to
find
my
phone,
so
they
don't
feel
bad.
D
B
D
I'm
glad
we
found
it
so
cool
I
know
we're
at
the
end
of
time,
I'm
gonna
stop
the
recording.