SAML synchronization should warn before it kills direct member list
Opening as feature as per discussion in #330902 (comment 575780391)
Use case: Hello team, We have a question about Group Owners can bypassing SSO enforce. A customer complained that they are an owner of the group, however, their access level was reverted when using SSO link. After testing this, we concluded that the owner gets to reserve their access level if they are the only owners of the group. If there are multiple owners, signing in with the SSO login link would override their access level, leaving the ability to bypass the SSO to only one - last - owner.
It would be nice if the GUI provided a warning about the direct members being lost before applying in this scenario.
Note that this is the documented behavior. However, from a UI/UX perspective, it's usually a good idea for GUIs to warn about dangerous actions. This is an example of the "principle of least surprise".
Figma work file
Implementation plan
Add warning
Update docs
Update docs and add diagram
In the above diagram when Faye Ledner signs in she is removed from GitLab Group C because she is not part of SAML Group C. Also, even though John Smith is a part of SAML Group C he is not added to GitLab Group C because he was not the one signing in.