►
From YouTube: SCIM Deep Dive (Support) 2020-12-07
Description
Taking a closer look at the SCIM feature for GitLab.com with focus on how to troubleshoot Support tickets. Presented and facilitated by Cynthia "Arty" Ng, Senior Support Engineer
Ref: https://gitlab.com/gitlab-com/support/support-team-meta/-/issues/2885
A
Hi
everyone:
this
is
the
skim
deep
dive.
I
am
cynthia
ing,
also
known
as
argitran
senior
support
engineer
in
the
americas,
and
today
is
december.
The
7th
2020,
if
you're,
an
amer
or
december,
the
8th,
if
you're
in
apac,
welcome
to
the
past
for
those
who
are
back,
I
wanted
to
just
very
quickly
note
the
current
version
of
git
lab,
which
is
at
the
bottom
of
the
slide,
which
is
13
7
pre.
A
This
is
a
version
of
gitlab.com
which
is
for
skim
the
most
important
part,
because
it's
only
in
dot
com
right
now,
I
will
get
to
that
in
just
a
second.
So
what
I'd
like
to
do
today
is
cover
like
obviously,
what
is
scale?
What
are
we
talking
about
a
bit
about
how
it
works?
It's
gonna
be
a
fairly
simplified
version
of
that
and
I
I've
included
a
diagram
slightly
more
complex,
but
we
probably
won't
get
too
into
weeds
to
it.
We're
going
to
also
talk
a
bit
about
like
okay.
A
A
A
A
As
well
a
little
bit,
what
we
currently
support
in
terms
of
what
it
does
is
creation
of
new
users
that
don't
already
exist
in
gitlab
when
they're
added,
when
the
user
is
added
to
the
skim,
app,
the
skim,
identity,
creation
of
existing
git
lab
users
and
then
a
removal
of
users
from
a
group
when
they're
removed
from
the
scan
map.
So
you
remove
a
user
from
the
skim
app
and
then
the
user
should
be
automatically
removed
from
the
group,
the
next
time,
the
app
syncs.
A
A
Self-Managed,
so
here's
a
very
kind
of
simplified
version
of
how
it
works.
So
you
see
that
if
a
user
is
created,
there's
a
get
call
and
then
there's
a
check
whether
the
user
is
present.
This
happens
in
gitlab
right,
and
so,
if
yes,
there
can
be
a
put
or
patch.
This
is
kind
of
weird
in
the
way
it's
implemented
in
gitlab,
actually
because
it
only
applies
to
azure.
A
A
But
if
you
check
our
docs,
that
is
actually
what
it
says
and
then,
if
the
user
doesn't
exist,
then
it
will
create
it
using
a
post
call.
So
this
is
kind
of
a
very
simplified
version
I've.
This
is.
This
is
mostly
important
to
kind
of
know
when
we
get
to
talking
about
what
to
search
for
in
the
longs,
because
in
the
longs
you'll
want
to
know
looking
at
the
api
logs
like
okay,
what
would
it
get
be
doing?
What
would
a
post
be
doing?
What
would
a
patch
be
doing
so?
A
But
again
I
don't.
This
is
oh,
yes
and
then
there's
the
the
one
that
the
one
thing
that
the
simplified
version
in
the
previous
slide
didn't
include
as
the
delete.
So
all
the
way
at
the
bottom
here
number
six
on
this
one.
It
tells
you
about
the
delete,
so
the
delete
is
to
remove
the
user
from
the
group.
A
A
So
what's
the
difference
between
sample
and
skim,
this
is
kind
of
where
I
wanted
to
focus
actually,
because
it
can
be
really
confusing
for
a
lot
of
people,
especially
since
okay.
Well,
a
lot
of
people
are
familiar
with
saml,
but
how
is
that
different
from
skim?
And
what
does
it
do?
What
does
what
does
it
not
do
in
relation
to
skin
so,
especially
in
com
on
gitlab.com,
and
the
way
that
it's
implemented
for
groups
right
now
is
that
saml
is
used
purely
for
authentication.
It's
not
used
for
member
management.
That
is
what
skim
is
for.
A
So
when
someone
signs
in
using
and
say
like
especially
if
you
know
sso
sign
in
is
enforced,
so
the
gitlab
user
visits
their
gitlab.com
group,
if
they're
not
already
signed
in
it,
will
redirect
them
to
their
identity
provider
so
say
octa
for
example,
and
then,
when
they
sign
in
to
opta,
you
know,
octa
will
say
hey.
This
is
the
user's
id
gitlab
will
say:
hey
that
matches
or
not
that
uses
saddle
that
uses
the
saml
identity.
A
So
this
is
what
I
mean
by
it
checks
the
name
id
against
the
gitlab
silo
identity,
which
we
in
the
api
we
call
extern
uid
and
the
git
lab
users.
Api
you'll
see
that
the
user's
identity's
extra
new
id
on
sign
in
so
when
they're
signing
in
octa
or
whatever
identity
provider
is
sending
the
name
id
that
is
matched
against
a
gitlab,
extern
uid
and
if
it
matches
gitlab,
says,
go
ahead
and
we
identify
you
as
this
gitlab.com
user.
A
These
identities
are
created
when
the
user
is
initially
linked
to
the
group,
so
the
first
time
that
the
user
signs
into
the
group,
that's
when
the
saml
identity
is
created,
the
sample
identity
is
deleted
when
the
user
is
removed
from
the
group.
Now
that
might
be
through
skim
and
through
auto
memory
management,
but
it
might
also
be
manually.
So
if
someone
like
an
owner
removes
the
user
manually
from
the
group
and
that
user
is
removed
from
the
group
altogether
right,
then
the
samo
identity
gets
deleted
with
it.
A
It
doesn't
matter
how
that
user
is
removed
from
the
group.
Their
xaml
identity
will
be
deleted.
This
also
at
the
moment
cannot
be
edited
by
owners.
It
can
be
edited
by
admins,
so
that
means
gitlab
support.
Team
members
do
have
access
to
edit
and
identity,
but
currently
it's
not
editable
by
owners
in
any
manner.
A
A
A
A
Group
owners
have
access
to
this
a
skim.
They
can
generate
a
skim
token
in
their
in
their
settings
page
and
that's
what
they
would
use
as
the
authentication
token
for
the
skin
api,
so
they
can
edit
them
now.
The
docs
does
say
at
the
top
of
the
page
that
it's
not
meant
for
users
to
use
themselves.
It's
meant
as
kind
of
almost
like
an
internal
api
for
the
system
to
use,
but
it
can
be
done
if,
like
absolutely
required,
we
just
don't
recommend
it.
B
A
Or
deleted
yes,
actually,
so,
first
of
all
to
clarify
the
reason
why
it's
done
that
way
is
because
of
the
spec,
so
the
developers
are
following
the
the
skim
specification
in
the
way
that
they've
implemented
this.
So
I
want
to
clarify
that
it's
not
a
weird
thing
that
gitlab
is
doing
and
the
way
we've
implemented
it.
A
This
is
following
the
specifications
kind
of
the
difference,
and-
and
we
can
talk
about
this
a
little
bit
more
when
we
get
to
troubleshooting
is
what
happens
if
the
identity
that
is
being
sent
like
the
extra
new
id
or
the
name
id
is
different
from
what
git
lab
has
right.
So
if
you
say
okay,
my
user
has
this
name
id
in
skim
and
then
gitlab
says
wait.
A
But
this
user
has
a
different
name
id
then
there's
a
conflict
and
then,
even
if
the
even
if
octa
says,
oh,
I
need
or
actually
sorry,
let's
use
the
zor
in
this
case
because
octa
doesn't
have
the
doesn't,
have
the
same
update
function.
But
if
azure
says
okay,
I
need
to
update
this
user
right.
Then,
if
the
name
id
or
the
external
id
doesn't
match,
then
gitlab
will
say
well,
your
name
id
doesn't
match.
I'm
not
going
to
do
anything
with
this
information.
A
A
And
then
they
get
re-added
in
one
way
or
another,
so
yeah
I
don't
know
I
mean
I
don't
I
don't
know
which
way
is
really
better,
but
I
I
will
say
I've
been
told
at
least
that
this
is
implemented
this
way,
because
that's
what
the
spec
tells
you
to
do,
I
I
I
the
one
anything.
Actually
I
wanted
to
touch
on
that.
A
I
kind
of
skipped
a
little
bit
is
the
badging
so
in
point
two
for
each
one
and
kind
of
point
out
that
when
someone
is
connected
with
saml
and
has
a
samo
identity,
there's
badging
in
the
members
ui,
so
in
the
list
of
members,
if
you
look
at,
you
know
who's
a
member
of
your
group.
If
someone
has
a
sample
identity
for
your
group,
it'll
have
a
sample
batch
next
to
it
right
that
user
will
just
it'll
just
say
next
to
that
user.
Much
like
a
2fa.
A
A
All
right,
so
when
it
comes
to
configuring
skim,
I'm
gonna
say
it's:
it's
not
exactly
simple.
It's
it's
straightforward!
If
you
follow
the
docs
exactly
the
the
problem
comes
when
people
don't
necessarily
follow
the
docs
exactly
or
they
don't
read
the
docs
or
the
docs
they're
a
little.
The
instructions
are
quite
different
depending
on
the
provider,
so
you
have
to
make
sure
you're
actually
looking
at
the
right
one
as
well,
and
some
people
sometimes
look
at
one
and
then
not
the
other.
So
there's
two
pages
right.
A
So
you
you,
you
kind
of
have
to
go
through
both
the
way
that
our
docs
lay
it
out.
Otherwise,
things
can
kind
of
go
wrong
and
that's
where
the
second
point
comes
in
right.
So
skim
requires
the
saml
app
to
be
configured
with
the
same
name
id
or
extern
uid
or
in
some
cases
we
call
it
the
user
identity,
and
that
is
because
we
use
these
ids
in
order
to
match
people
against
their
identity,
and
this
can
in
actually
both
azor
and
opta.
A
Because
again,
there
are
specific
instructions
for
each
provider
in
azure,
there's
a
minor
amount
of
flexibility,
because
everything
is
configured
manually,
but
because
everything
is
configured
manually,
it's
also
prone
to
errors
in
octa.
What's
confusing
is
that
currently,
the
skim
app
is
separate
from
the
saml
app
and
there
are
a
couple
of
things
that
you
can
configure
in
the
sample
depending
on
what
you
want.
But
if
you
don't
configure
it
exactly
like
how
we've
written
it
in
the
docs,
the
schemat
won't
work.
A
A
A
In
so
most
importantly,
troubleshooting-
this,
I
admit,
is
I
don't
know
if
there's
a
better
way
to
do
this
in
our
docs,
but
I
will
say
that
a
lot
of
our
error
messages
are
covered
under
the
sample
troubleshooting
and
again.
That's
because
most
people
are
trying
to
configure
both
saml
and
skim.
At
the
same
time,
and
sometimes
they'll
say
it's
a
skim
issue,
but
it's
actually
a
saml
issue
or
vice
versa.
A
As
I
mentioned
earlier,
the
majority
of
the
issues
are
configuration
you
can
compare
links
to
their
screenshot,
to
example,
screenshots
that
we
have
the
reason
why,
though,
those
screenshots
are
on
a
separate
page,
there's
warnings
everywhere.
That
says
these
may
or
may
not
be
absolutely
up
to
date
according
to
our
dogs.
A
So
if,
for
some
reason
you
find
that
it's
not
either
update
them
or
create
a
docs
issue
to
get
them
updated,
but
the
the
link
itself
to
the
screenshot
is
under
the
verifying
configuration
troubleshooting
section
on
the
saml
page.
So
again,
a
lot
of
people
are
configuring
these,
both
at
the
same
time
so
they're
linked
from
the
saml
troubleshooting
they're,
actually
not
linked
from
the
skim
troubleshooting
yeah,
and
then
I
mentioned
before
that
you
can
use
kibana
to
search
our
blogs
for
the
skim
api
endpoint.
It
is
fairly
simple.
A
It
is
just
api
scan,
slash,
v2,
slash
group,
slash
the
group
path,
you're,
always
looking
at
the
parent
group,
because
you're
never
going
to
be
looking
at
subgroups
for
the
skim
api
and
then
just
a
quick
reminder
that
if
it's,
if
it's
throwing
a
specific
error,
you
can
always
try
to
find
it
in
century
and
file.
A
bug
issue
with
the
full
stack
trace
through
sentry,
very
useful,
and
then
the
last
that
I
wanted
to
mention
just
kind
of
more
generally.
C
A
Is
just
an
example
of
what
it
looks
like
in
kibana,
so
you
can
see
that
I
just
did
an
example
search
for
gitlab
silver.
You
can
see
that
this
is
a
get
response
and
then
so
you
can
see
what
the
skim
name
id
is
being
sent
from
the
identity
provider,
and
you
can
see
the
status
is
maybe
kind
of
hard
to
see,
but
all
the
way
at
the
bottom
it'll
it
says
200..
A
A
Okay,
so
this
this
tells
you
the
difference,
and
I
I
kind
of
said
it
earlier,
and
I
want
to
make
it
clear
that
they
are
two
completely
separate
things.
Basically,
you
configure
them
together
and
actually
actually
really
don't
you
can
configure
saml
in
order
to
configure
skim,
you
have
to
have
saml
configured.
A
A
A
Information,
the
skim
identity
is
never
used
for
authentication.
So
this
is
the
interesting
thing
that
sometimes
happens
is
that
when
someone
configures
saml
and
then
later
configure
skim,
this
actually
often
happens,
or
at
least
this
happened.
This
has
happened
multiple
times.
Someone
will
configure
saml
and
say
use
their
email
address
as
the
name
id
for
saml
and
then
when
they
go
to
configure
skin,
they
follow
our
documentation.
Our
documentation
tells
you
not
to
use.
Email,
tells
you
to
use
an
id
of
some
sort
like
an
internal
id.
A
E
E
A
For
skim
as
well,
because
the
way
that
it
works
is
that,
like
so
I
have
a
group,
so
let's
call
it
git
lab
silver.
That's
one
of
our
test
groups
right,
so
I've
set
up
sso
for
gitlab
silver,
so
the
identities
that
are
you
know
surrounding
a
user
and
how
they
log
in
and
how
they're
managed
within
gitlab
silver
is
tied
around
the
way
that
I
set
it
up
for
the
provider
and
the
app
that
I've
set
up.
So
that's
why
and
then
they'll
have
a
gitlab
silver
saml
identity.
A
A
E
A
A
This
is
how
most
identity
problems
are
solved.
Actually
is
that
the
user
can
de-link
or
unlink
themselves
from
the
group,
it
does
remove
them
from
the
group
altogether
and
then
they
can
sign
back
in
and
then
because
remember
when
you
remove
the
user
from
the
group,
even
if
they
remove
themselves
right,
their
samoan
identity
gets
deleted.
So
then,
when
they
sign
in
again
it
recreates
the
samoa
identity
with
the
new
identity,
whatever
it's
been
changed
to,
and
so
that
will
kind
of
fix
it
on
its
own.
A
A
E
F
A
F
Yeah
sure
so
I've
actually
been
doing
some
work
on
ldap
this
morning.
Just
before
this
call-
and
I
just
had
a
question
about
that
so
skim-
does
it
actually
synchronize
any
user
attributes
once
the
user's
been
provisioned
and
get
lab
like
later
on,
or
is
it
basically
once
it's
been
created,
that's
it
until
it's
either
deactivated
or
deleted
on
the
identity
provider.
End.
A
The?
What
the
and
again
actually
our
patch
or
put
only
applies
to
azure
and
my
understanding
on
what
that
can
do
is
change.
Some
potentially
change
some
of
the
attributes
that
are
in
the
skim
identity,
but
there's
really
not
much
in
there.
To
be
honest,
it's
like
the
id
some
system
dates
like
created,
updated
the
group
id.
But
again,
that's
not
something.
A
A
A
You
know
we
have
actually
told
people
like
if
you
want
to
remove
someone's
skin
identity.
This
is
really
the
only
way
to
do
it,
so
you
they
they
can
use
it.
We
just
generally
don't
recommend
using
it
directly,
except
for
troubleshooting
purposes,
when
we
actually
tell
people
that
this
would
be
the
only
way
to
do
it,
so
the
api
kind
of
gives
you
an
idea
of
like
one
is.
A
You
know
not
only,
of
course,
what
information
you
can
just
get
from
it
in
terms
of
reading
what's
in
the
identity,
but
a
little
bit
of
kind
of
like
the
minimum
required
when
creating
a
user-
and
this
is
the
update
the
patch
right.
So
this
is
what
can
be
updated
through
the
patch
now
what's
weird
about
this.
A
A
A
I
actually
don't
know
now
that
I
think
about
it
in
exact
detail.
I
might
have
to
get
back
to
whether
that's
possible.
It's
not
a
thing
that
like
we
would
actually
tell
people
to
ever
do
right,
and-
and
so
you
what's
interesting-
is
that
here
you
can
change
the
external
id,
so
in
theory
and
again,
we've
not
tested
this
thoroughly,
but
based
on
the
api
and
whatnot
in
theory.
A
A
A
Sorry,
I
yeah,
I
don't
actually
have
a
definitive
answer
for
you,
but
the
api
definitely
kind
of
gives
you
a
bit
more
information
about
what
we
would
expect
in
a
in
a
patch
response.
But,
like
I
say,
octa,
doesn't
even
have
the
put
our
patch
functionality
in
our
the
way
that
gitlab
has
implemented
into
skim,
and
I'm
not
sure
when,
like
it
does
either
so
azure
would
be
the
only
one
that
could
even
potentially
do
this.
A
Yeah,
okay,
great
so
we're
going
to
circle
back
a
little
bit
to
the
question
on
identities.
Here
you
go
so
thank
you
for
giving
me
a
test
user
and
then
so
if
we
go
to
identities
for
this
user,
we
can
see
hey.
This
is
a
group
sample
identity
for
this.
This
is
the
name
of
the
group
so
and
it
does
link
to
the
group.
So
I
can
go.
Take
a
look
at
the
group.
A
If
I
want
to
the
id
here,
is
the
provider
id-
and
this
is
what
you
would
see
in
the
api,
so
the
api,
for
example,
for
this
user,
would
give
you
the
the
type
which
is
group
saml.
It
would
actually
give
you
the
group
id
rather
than
the
group
name,
and
then
it
would
give
you
the
provider
id
and
then
this
is
their
identifier,
so
you
can
either
delete
it
and
just
remove
the
sample
identifier.
A
A
G
G
A
The
reason
we
you
want
skim
in
the
first
place
is
that
it
will
create
users
that
don't
exist
and
the
way
that
a
customer
would
do.
This
is
simply
to
add
the
user
in
the
skim
app
so
again
say:
let's
take
octa
as
an
example,
you
have
octa
saml
and
after
skim
setup
in
the
after
skin.
You
add
users
right
to
say:
hey
this
user
should
be
in
the
should
have
access
and
should
be
part
of
the
gitlab
group.
A
So
you
add
them
to
the
optoscan
app
in
or
the
gitlab
skip
app
in
octa
after
then
ask
gitlab
hey:
does
this
user
exist
if
the
user?
If
there's
no
user
account
with
that
email
address
already,
which
is
actually
in
gitlab?
The
only
restriction
is
that
the
email
doesn't
exist
right
then
it
will
create
the
gitlab
user
account
and
it
will
create
both
actually
the
saml
and
skim
identity
automatically,
but
the
identity
itself.
A
For
an
existing
user
is
not
created
until
the
first
time
that
they
sign
in
to
the
group
through
sso,
so
for
an
existing
user.
If
you
know
octa
says
hey,
I
have
this
new
user,
git
lab
says:
no
can't
do
it.
Their
email
address
already
exists,
then
the
person
would
have
to
sign
into
their
gitlab.com
user
account
and
then
also
sign
in
to
the
group
through
sso,
specifically
authorize
the
sending
of
their
information
to
the
identity
provider
and
then
their
sample
and
their
skim
identities
will
be
created.
A
A
Where
problems
happen
often
is
when
this
happened
more
so
when
skim
didn't
exist,
so
someone
the
customer
will
have
set
up
saml
with
a
specific
name
id
and
then
you
know
once
skin
was
implemented.
They
say:
hey
skim
exists.
Now,
let's
implement
skim,
they
implement
skim
and
they
follow
our
docs,
but
they
end
up
with
a
name
id
that
is
different
than
what
they
originally
set
up
in
saml.
So
then
you
get
these
conflicts,
and
this
is
why
it's
like
okay,
look!
A
If
you're
setting
up
sso
your
name
id
should
match,
follow
our
guidelines
around
what
a
name
id
should
be.
That's
on
the
samoa
page.
The
main
thing
is
that
it's
something
that
should
never
change.
This
is
why
we
actually
don't
recommend
email,
because
someone
changes
their
last
name.
They
get
married,
they
get
divorced.
I
don't
know
whatever
reason
they
change
their
lasting.
Suddenly,
their
email
address
has
changed
too
and
then
their
name
ideas,
change,
and
then
they
can't
log
in
anymore.
A
So
we
tell
people,
don't
use
email
because
that
can
change,
whereas
like
an
identity
provider
like
id
like
an
internal
id
for
a
user,
doesn't
change
and
that's
why
we
tell
people
to
try
to
use
something
like
that,
so
we
don't
actually
care
exactly
what
you
use
as
long
as
it
follows
the
guidelines
which
the
primary
one
is.
It
doesn't
change
over
time
for
a
user,
regardless
of
what
happens
to
them
in
their
life.
A
A
What
you
set
the
name
id
to,
if
you're,
implementing
skim,
if
you're
just
implementing
saml
again
saml
is
used
for
authentication
as
long
as
the
name
id
matches
to
what's
in
gitlab,
we
don't
actually
care
what
it
is,
but
once
you
involve
skim
and
octa
skin
uses
a
very
specific
attribute
with
a
very
specific
value.
You
cannot
change
that
in
the
octa-skim
app,
so
your
octa-samus
settings
has
to
be
exactly
what
we've
documented
in
our
docs
so
that
it
matches
so
that
the
name
id
matches.
A
Okay,
I
realized
we're
actually
at
time,
so
I'm
gonna
end
it
there
and
I'm
gonna
stop
the
recording
in
just
a
second.
I
want
to
thank
everyone
for
coming
and
joining
asking
questions.
If
you
have
any
more
questions,
there
are
a
couple
of
more
follow-up
q
and
a
sessions,
one
which
is
a
little
more
apac
friendly
one
which
is
a
little
more
emea
friendly,
but
both
of
which
are
more
or
less
in
amer
time.
A
So
again,
if
you
have
any
more
questions,
feel
free
to
add
them
to
the
dog,
if
you
can't
make
it
to
the
follow-ups
for
any
reason
feel
free
to
just
reach
out
ping
me
there's
still
the
slack
channel,
so
you
can
also,
please
add
it
to
your
question
to
the
doc.
But
you
can,
let
me
know
in
the
slack
channel
that
you
posted
it
to
the
doc.