►
From YouTube: SCIM Deep Dive (Support) APAC Q&A 2020-12-08
Description
Follow up Q&A for SCIM Deep Dive (Support) 2020-12-07
with Cynthia "Arty" Ng, Senior Support Engineer
A
My
name
is
cynthia
ing,
also
known
as
artie
chan,
a
senior
support
engineer,
and
this
is
a
follow-up
and
you
are
expected
to
have
already
watched
a
recording
from
yesterday
thanks
everyone
joining
so
we're
just
gonna.
Do
q
a
for
this
session
and
see
what
questions
we
can
answer
emily.
I
see
you
have
the
first
question:
would
you
like
to
vocalize.
B
Yeah
yep,
so
I
I
was
just
reading
the
docs
that
you
linked
in
the
issue,
and
I
saw
that
there's
a
skim
sso
for
gitlab.com
groups
and
samwell
ones,
and
I'm
just
wondering
how
different
is
it?
Is
it
like
the
difference,
between.com
and
self-managed
is
like
group
level
at
instance
level,
or
is
there
like
more
differences.
A
In
the
slides
I
do
have
a
link
to
the
issue
so
I'll.
Just
I
think
sorry,
let
me
just
find
it.
I
believe
it's
on
slide
three.
So
it's
issue
one
two,
eight
two,
three,
so
that
that
issue
is
kind
of
a
bit
general
but
does
refer
to
bringing
skim
to
self
made.
It
also
talks
about
bringing
ldap
to
dot
com
right.
A
So
it's
the
issues
like
the
specifier
will
probably
be
more
issues
for
the
specific
parts
created,
but
that
is
the
only
issue
right
now
that
we
have
that
refers
to
bringing
skim
to
self-manage.
So
I
want
to
clarify
that
skin
does
not
exist
at
all
in
self-managed
right
now,
so
it's
only
on.com
saml
is
actually
a
different
kind
of
feature.
Part
of
the.
A
Product,
it
is,
of
course,
part
of
sso
right,
so
just
kind
of
briefly.
A
A
A
A
Now,
the
reason
why
there's
a
reference
to
self-managed
in
the
saml
for
groups
documentation
is
because
technically
it's
possible
to
turn
it
on.
There
are
feature
flags
around
it,
and
so
you
you
can
turn
it
on.
You
can
technically
get
it
working,
but
it's
mostly
for
development
purposes.
Right
and
it's
I
don't.
A
So
if
you
have
100
groups,
you
have
to
have
a
100
saml
apps
and
that
doesn't
make
sense
right.
So
if
you
have
a
self-managed
instance,
it
makes
more
sense
to
implement
it.
At
the
instance
level
and
then
use
groups
in
terms
of
access
now,
group
sync
is
coming
so
then
you
would
use
saml
groups
to
configure
what
level
access
people
have
when
signing
into
saml
like
when
they
sign
into
samoa.
They
get
added
to
a
group
for
the
first
time
or
something
like
that
or
the
instance
and
then
based
on
the
saml
group.
A
They
would
have
access
to
certain
groups
in
gitlab,
so
you
can
do
that
and
that's
we
have
it
for
sasfor.com
already
so
for
com.
It's
you
configure
samuel
for
your
group
and
then
for
specific
subgroups.
You
can
say
hey
if
this
user
is
part
of
this
saml
group,
they
should
have
this
role
in
this
subgroup.
A
So,
as
a
more
practical
example
like
say
you
have
in
octa
right,
say
you
have
a
support
group
right
within
gitlab
right,
so
gitlab
sets
up.
You
know
opta
for
gitlab,
you
know,
and
then
they
say:
okay,
you
have
access,
obviously
to
the
gitlab
group,
but
right
now
I
think
our
default
role
is
guest
right
and
then,
but
you
could
say,
hey
in
the
support
subgroup,
which
you
know
we
have
everyone
in
this
octa
support
group
should
have
maintainer
access,
so
you
can
set
that
up.
Now.
A
That
is
specific
to
how
saml
is
implemented,
and
it
has
to
do
with
this
album
protocol
and
group
sync,
which
again
is
already
available
for
com
and
is
coming.
I
think
in
the
next
release
for
self-managed
at
least
planned
for
the
next
release
for
self-manage
will
be
available
very
quickly
because
self-manage
has
saml
it's
just.
A
They
don't
have
skim.
So
skim
is
completely
separate
from
everything
that
I
just
talked
about,
and
there
currently
is
no
timeline
for
when
skin
will
be
implemented
for
self-managed.
A
Yeah,
so
it
is
important
to
remember.
Like
you
know,
I
tried
to
slide.
Six
is
kind
of
where
I
tried
to
kind
of
separate
it
for
everyone.
You
know,
and
when
I
was
talking
about
this
during
the
recording
too,
that
saml
and
skim
have
two
different
roles:
they're
both
part
of
sso
right
and
because
they're,
both
part
of
authentication
and
authorization
and
and
contr.
You
know,
helps
to
control
what
users
have
access
to,
but
ultimately,
saml
and
skin
have
two
different
roles
within
what
goes
on
in
the
system
itself.
A
Happen:
okay,
rotomac!
You
want
to
vocalize
your
question.
C
A
I
usually
I
don't
look
at
these
docs
or
I
don't
look
at
the
stocks
page
in
particular,
very
often
because
you
know
how
like
we,
we
can't
use
the
skim
api
to
get
this
information.
So
I
I
rarely
use
this
the
stocks
page
and
I
I
mostly
I
like.
A
A
A
A
But
ever
since
I
think
it
was
about
february
when,
when
gitlab
the
you
know,
the
dev
team
product
team
kind
of
turned
it
on,
we
created
skim
identities.
A
So
the
skim
api
is
now
only
used
for
editing
the
skim
identity
and
it's
completely
separate
from
saml.
So
why
don't?
We
add
that
as
duncan,
if
you
can
add
that,
as
as
an
action
item
wrote
now,
I
don't
know
if,
if
you
even
want
to
do
it,
you
can
go
ahead
and,
like
basically
you'd
be
just
renaming
saml
to
skim.
A
C
A
Yeah,
I
know
for
sure
I
definitely
think
we
should
edit
that
but
yeah
it's
it's
it's
a
carryover
from
when
we
used
to
only
have
one
type
of
identity.
I
think
I
think
I
really
think
that's
just
where
that
language
comes
from.
I
bet
you
if
we
pulled
up
the
blame
right
now
that
it's
just
that
line
has
not
been
edited
since
the
doc
was
created.
C
I
agreed
my
requests
for
this.
C
Yep,
so
this
is
like
more
on
the
sample
side
because,
like
on
gitlab.com,
like
people
would
sign
into
a
group
and
then
they
don't
have
to
sign
in
for
a
while.
A
Okay,
so
yeah
so
just
to
clarify,
as
you
mentioned,
this
has
nothing
to
do
with
skim.
This
is
purely
a
saml
thing,
but
is
tied
to
sso
right
because
of
controlling
user
access.
We
actually
well.
We
as
when
I
say
we
I
mean
git
lab
a
week
ago,
turned
on
seven
day
sample
expiry.
A
I
have
the
link
handy,
and
I
will
add
it
here,
so
we
actually,
we
literally
turned
this
on
a
week
ago,
and
then
we
got
a
ticket
in
today
and
was
escalated
to
me,
which
is
why
I
know
about
it
and
basically
it
it
now,
if
you
turn
on
sso
and
force,
because
it
doesn't
make
sense
if
you
don't
turn
that
on
right.
A
So
so
in
the
case
where
someone
turns
on
sso
and
force,
then
the
browser
session
will
force
expire
in
seven
days,
regardless
of
our
browser
policy
or
browser
session
policy
yeah.
So
we
just
turned
that
on
a
week
ago,.
A
So
it
followed
our
gitlab
browser
session
policy
right.
So
basically,
as
long
as
you
kept
visiting
gitlab,
it
would
auto
renew
your
session
and
you
never
had
to
sign
it
right
so
like
right
now,
I'm
sure
you
know
unless
you
go
on
vacation
for
a
week
or
whatever
it
is,
then,
because
you
visit
gitlab
almost
every
day,
even
if
you
you
know
you're
off
for
the
weekend,
you
come
back
on
monday.
Your
browser
session
is
still
there,
like.
You,
don't
have
to
log
back
into
gitlab
right.
A
So
what
this
does
is
that
it
forces
it
to
expire
after
seven
days,
regardless
of
what
our
you
know,
what
the
browser
section
policy
is
for
gitlab
in
general
right,
which
auto
renews
this
forces
the
browser
session
to
expire
after
seven
days,
so
they
it
forces
the
user
to
sign
back
in
to
get
lab,
and
you
know
the
idea
for
most
of
these
users
is
that
they
will
be
signing
in
through
their
provider
anyways.
A
A
Is
that
the
customer
turned
on
sso
enforce
actually
quite
a
few
months
ago,
but
before
they
turned
on
sso
and
force,
they
had
added
users
to
specific
projects
and
subgroups,
and
so
these
users
were
manually
added
were
not
signed
in
through
saml,
but
even
after
turning
on
sso
and
or
they
might
have
signed
in
through
saml
in
some
way
or
another.
But
after
turning
on
sso
and
force,
you're
actually
not
normally
allowed
to
add
users
to
a
specific
subgroup
or
project
without
adding
without
them
being
added
at
the
the
top
level
group.
A
So,
but
because
these
users
were
added
both
prior
to
that
and
then
they
just
kept
using
gitlab
on
a
regular
basis.
They
were
never
signed
up.
A
Even
if
they
were
signed
into
gitlab,
they
couldn't
access
the
group
itself
or
the
the
specific
project
or
subgroup
that
they
were
added
in
so
what
they
had.
What
they
have
to
do
instead
is
they
have
to
sign
in
through
their
identity
provider
so
that
they
link
the
existing
account
to
their
samo
login,
create
that
saml
identity
right
and
then
that
should
just
give
them
access
back
to
whatever
they
already
had.
A
At
the
same
time,
they
would
be
added
at
the
parent
group
level
or
top
level
group
with
whatever
default
role
has
been
set
right
in
the
sample
settings.
So
that
should
be
the
resolution.
We
haven't
gotten
confirmation
actually
yet
from
this
customer,
like
I
said,
we
fairly
thoroughly
tested
this
with
new
users
and
adding
new
users,
and
we
just
you
know,
didn't
exactly
test
with
hey
what,
if
we
manually
add
users,
then
turn
sso
and
force
on
then
turn
on
the
feature
flag
to
have
a
session
expire
in
seven
days.
A
So,
if
we
absolutely
need
to,
we
can
turn
off
the
feature
flag,
but
it's
it's
just
a
browser
session
expired.
We
think
that
as
long
as
the
users
properly
connect
their
saml
identity,
then
it
they'll
be
able
to
access
the
group
again
so
yeah
the
doctor
and
the
docs
aren't
updated.
Yet
I
actually
because
this
came
up
today-
I've
pinged
the
pm
and
the
backend
engineer
and
asked
them
about
whether
there's
a
docs
update
in
progress
and
if
there
isn't
then
we'll
create
one.
A
All
right,
I
realize
we're
actually
just
over
time
by
like
a
minute
or
two,
so
I
want
to
be
respectful
of
everyone's
time.
A
If
you
have
any
more
questions,
feel
free
to
throw
them
in
the
doc
or
in
the
slack
channel
and
I'm
more
than
happy
to
answer
them.
Then
we
do
have
another
follow-up
tomorrow,
it'll
be
outside
your
time
zone,
but
I'm
more
than
happy
to
answer
the
questions
in
a
recording,
then
or
again
through
through
the
docker
through
slack
as
well.
So
thank
you
for
joining
and
go
ahead
and
stop
the
recording.