►
Description
In this session, we pair up on keeping SAML identity when deprovisioning via SCIM
https://gitlab.com/gitlab-org/gitlab/-/issues/379149
A
Nice,
okay,
so
we're
just
talking
about
this
trying
to
understand
the
lay
of
the
land
here
for
this
issue.
So
we
have
skim
and
we
have
saml.
Skim
is
used
to
create
and
remove
users
so
skim
with
de-provision,
a
user.
So
say
we
say:
okay,
this
person
is
no
longer
at
our
company
or
in
our
department.
We
want
them
removed
from
git
lab.
We
remove
them
from
this
system
over
here
this
skim
system,
and
then
we
have
skin
set
up
with
Git
lab
and
so
that
syncs
over
to
gitlab
and
removes
the
user
from
gitlab.
A
But
it
looks
like
what
it
really
it
doesn't
remove
their
skim
identity.
It
sets
it
to
active
false
and
then
it
deletes
their
saml.
Identity
are
different,
different
systems,
so
the
problem
with
that
is
that
if
the
user
is
reprovisioned
with
skim
so
say
we
have
a
boomerang.
The
person
comes
back
to
the
company
or
something
then
they're
reprovisioned,
but
there's
no
saml
identity.
I,
don't
know
why
that
would
be.
But
that
is
what
this
issue
is
claiming.
C
B
A
A
A
B
A
D
B
A
A
A
A
A
A
B
A
A
A
A
A
A
B
C
B
A
A
A
A
Yeah,
okay,
I,
like
that
idea,
yeah.
It's
always
a
tricky
balance
like
when
we're
viewing
code.
I
guess
like
if
it
was
an
internal
person,
I'd
be
more
Lo-Fi
to
be
like
I.
Don't
think
this
is
right,
like
you
should
just
revisit
this,
but
since
they're
a
community
contributor,
you
know
I
want
to
be
a
little
bit
more
helpful
and
like
pointing
them
because
they
are
doing
us
a
favor.
Their.
A
A
This
is
always
the
fun
part
of
anything
right
trying
to
figure
out
where
it
is
gonna
happen,
trying
to
think
of
strategies
for
figuring
this
out.
I
think
it
would
take
too
long
for
me
to
set
up
skim
and
Samuel
locally,
because
I
don't
have
those
set
up
right
now
in
order
just
to
manually
test
it,
but
that
is
something
I
like
to
do.
Sometimes
what.
A
A
B
A
D
B
B
A
B
A
D
C
A
A
B
C
C
A
Where
are
you
here?
We
go
so
post
request,
right,
I,
don't
know
like
I,
don't
know
exactly
how
these
things
are
wired
up,
but
my
guess
would
be
that
some
some
skim
services
are
not
smart
enough
to
know
to
call
the
reprovision
endpoint.
They
call
the
provision
endpoint,
whether
it's
a
new
user
or
a
reprovision.
D
D
Well,
if
we
look
at
this
provisioning
service
and
see
if
there
are
tests,
if
we
write
a
test
that
says
like
I,
don't
know
the
provision
service
within
existing
something
and
if
it's
I,
don't
know
how
to
like
verbalize
this
like
pick
it
out.
Instead,
it's
inactive
whatever
I
said
it's
active
ball,
so
run
this
thing
and
see
what
it
does.
D
A
A
A
B
A
C
A
A
B
B
B
A
It's
theoretically
something
that
I
should
know
about,
but
I,
don't
so
I'm
intrigued
by
the
fact
that
this
test
exists
because
I'm
like
if
so
provisioning
skin
provisioning,
does
not
create
a
saml
identity.
So
what
does
there's
no
reference
to
saml
identities
in
the
reprovisioning
service
and
then
I
guess
we
haven't
looked
at
the
D
provisioning
service
specs,
but
I.
Don't
yeah!
There's
no
reference
to
family
in
here
either.
C
B
A
B
B
B
D
B
D
A
A
It
will
and
I
don't
know
where
it's
being
modified
as
it
relates
to
scam
right
like
so.
If
something
happens
with
skin
are
those
happens
with
Samuel?
Do
we
do
something
to
the
skin,
identity
and
I?
Do
think
this
is
a
good
reminder
that
we
heavily
use
callbacks
and
get
Labs
gone
face,
which
really
creates.
D
A
A
A
A
B
D
A
C
B
A
C
A
B
C
D
D
A
A
B
B
B
B
C
B
B
D
A
B
B
D
A
D
B
D
D
A
C
A
D
A
That
is
a
good
pairing.
Okay,
so
I
think
the
action
element
is
to
get
a
permalink
to
this
line
and
ping
the
community
contributor-
and
let
them
know
that,
like
it's
saml,
this
is
what
needs
to
change,
not
the
skim,
identity,
piece
and
I'll.
Let
them
know
that
it
took
three
experience:
Gate
lab
developers
an
hour
to
find
my
phone,
so
they
don't
feel
bad.