Move and Improve SAML Group Sync warning to top

b3708bf2 · Gerardo Gutierrez · Evan Read · 2d64625f · b3708bf2
Commit b3708bf2 authored Feb 04, 2022 by Gerardo Gutierrez Committed by Evan Read Feb 04, 2022
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 4 deletions

doc/user/group/saml_sso/index.md doc/user/group/saml_sso/index.md +7 -4

No files found.
--- a/doc/user/group/saml_sso/index.md
+++ b/doc/user/group/saml_sso/index.md
@@ -339,6 +339,13 @@ For example, to unlink the `MyOrg` account:

 ## Group Sync

+WARNING:
+Changing Group Sync configuration can remove users from the relevant GitLab group.
+Removal happens if there is any mismatch between the group names and the list of `groups` in the SAML response.
+If changes must be made, ensure either the SAML response includes the `groups` attribute
+and the `AttributeValue` value matches the **SAML Group Name** in GitLab,
+or that all groups are removed from GitLab to disable Group Sync.
+
 <i class="fa fa-youtube-play youtube" aria-hidden="true"></i>
 For a demo of Group Sync using Azure, see [Demo: SAML Group Sync](https://youtu.be/Iqvo2tJfXjg).

@@ -356,10 +363,6 @@ Ensure your SAML identity provider sends an attribute statement named `Groups` o
 </saml:AttributeStatement>
 ```

-WARNING:
-Setting up Group Sync can disconnect users from SAML IDP if there is any mismatch in the configuration. Ensure the
-`Groups` attribute is included in the SAML response, and the **SAML Group Name** matches the `AttributeValue` attribute.
-
 Other attribute names such as `http://schemas.microsoft.com/ws/2008/06/identity/claims/groups`
 are not accepted as a source of groups.
 See the [SAML troubleshooting page](../../../administration/troubleshooting/group_saml_scim.md)