OKay, the group has been created -- however i cannot add @jlovejor or @ref to the group yet since they dont seem to have ever logged into gitlab with their fedora account.

there are two options here, wither they both log in to gitlab with SAML via:

https://gitlab.com/groups/fedora/

or if there is a legal group with those two in it in Fedora Accounts, i can set that up too.

There does not appear to be an existing legal group. Can we create one and add them?

Yeah, i think this may be one of the cases where the SAML group linking might be worthwhile.

Just need someone with Fedora Accounts group adding ability to add the "legal" group to IPA (i can do the github side once this is done)

@kevin out of interest, is it just sysadmin-main with that access to the accounts system?>

Yeah, i think this may be one of the cases where the SAML group linking might be worthwhile.

Just need someone with Fedora Accounts group adding ability to add the "legal" group to IPA (i can do the github side once this is done)

I have added the legal group with @jlovejoy and @ref as sponsors https://accounts.fedoraproject.org/group/legal/

@kevin out of interest, is it just sysadmin-main with that access to the accounts system?>

They are slightly different but mostly the same

@ryanlerch whats the status here?

Sorry to add another ping... Jilayne is ready to go when we have the repo...

I have setup the link. Members of the fedora 'legal' group will get 'owner' permissions for https://gitlab.com/fedora/legal

Let us know if there's anything more you all need or if you run into any problems.

Thanks!

Hi, sorry but I'm kind of completely unclear on what to do here. I got an email from Gitlab saying: "You have been granted Owner access to the fedora / Fedora Legal group. If this was a mistake you can leave the group."

But while logged into my gitlab.com account when I try to access fedora legal I get: Your request for access could not be processed: The member's email address is not linked to a SAML account

Update: Now I get "SAML authentication failed: Extern uid has already been taken"

@ref If you go to https://gitlab.com/fedora, you should be able to log in with Fedora SSO.

I'm getting a bit stuck too - perhaps it has something to do with having (or not having) a regular Gitlab account?
I do not have a Gitlab account - maybe I need to create one (and with my redhat.com address)
I think @ref has a Gitlab account, perhaps under a different email - in which case, would he need to link them or create a new Gitlab account with his redhat.com email?

(used to Github, where you can have more than one email associated with your account - not sure how Gitlab handles that, but wondering if that's part of what is going on here?)

@ref If you go to https://gitlab.com/fedora, you should be able to log in with Fedora SSO.

No, that's where I click "Authorize" and get "SAML authentication failed: Extern uid has already been taken"

Are you logged in with your regular gitlab account? login there first, then go to https://gitlab.com/fedora/legal and see if it will let you sign in again with fedora SAML (and link it to your existing account).

Or, maybe @ref has a different gitlab account that is linked to the Fedora one?

I think this is now resolved but I will let you know if not. :-)

Okay I don't understand what is going on. If I try to use my Fedora machine I get the "SAML authentication failed" message. I was able to successfully authenticate on a MacOS machine. I tried resetting my Fedora account password (thinking perhaps it had something to do with out of date browser stored passwords) but this did not seem to correct the problem.

Ah I think I may indeed have two gitlab accounts.

@kevin I previously had a gitlab account (associated with my Red Hat email address), username "@richardfontana", and a new gitlab account was created today as a consequence of all this, username "@rfontanaref". Obviously I can use rfontanaref and I actually never used richardfontana, but I sort of like the name better. So I have to ask - do you know if it is possible to re-associate my Fedora account with the other (richardfontana) gitlab account? If too much trouble don't worry about it.

I think it should be possible. ;)

How about:

1. I remove rfontanaref from fedora/legal
2. you login to that account on the main gitlab page and go to edit profile -> account -> click on 'disconnect' next to the 'SAML for Fedora'
3. logout of that account
4. login to the other account and go to https://gitlab.com/fedora/legal and login via Fedora SSO.
5. Hopefully that will link the right thing.

Make sense? let me know if that sounds worth trying and I will do the step one.