Automatically remove Fleet users when they're removed from IdP

[zayhanlon]

Goal

User story
As a security engineer, who doesn't have access to IdP (e.g. Okta) workflows,
I want automatic user deletion so that when a Fleet user is removed in the IdP (e.g. Okta) there are also removed in Fleet
so there’s not a dangling Fleet admin account.

Changes

Product

• UI changes: Figma
• CLI (fleetctl) usage changes: No changes
• YAML changes: No changes
• REST API changes: No changes
• Fleet's agent (fleetd) changes: No changes
• GitOps mode UI changes: No changes
• GitOps generation changes: No changes
• Activity changes: No changes
• Permissions changes: No changes
• Changes to paid features or tiers: No changes
• My device and fleetdm.com/better changes: No changes
• Usage statistics: No changes
• Other reference documentation changes: No changes
• First draft of test plan added
• Once shipped, requester has been notified
• Once shipped, dogfooding issue has been filed

Engineering

• Test plan is finalized
• Feature guide changes: See sub-task.
• This is a premium only feature: Yes (SCIM is premium only already)

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

• Risk level: Medium
• Risk description: Medium because this involves deleting Fleet users account, so we need to QA this thoroughly.

Test plan

Make sure to go through the list and consider all events that might be related to this story, so we catch edge cases earlier.

1. On Settings > Integrations > Identity Providers (IdP):

• confirm updated description copy
• if IdP connected, confirm updated "received" copy

2. Connect IdP using SCIM for Okta, Entra Id, Google Workspace, authentik, etc. (other supported IdPs)

• Once IdP connected, confirm updated "received" copy
• Remove user from IdP and confirm they are also deleted from Fleet.
• Note: Do not allow all admin accounts to be deleted. If only one admin account left, confirm "Delete" in Actions dropdown is disabled with new tooltip.
• Note: Confirm API access accounts are not deleted as part of this feature.

Testing notes

Confirmation

1. Engineer: Added comment to user story confirming successful completion of test plan.
2. QA: Added comment to user story confirming successful completion of test plan.

[zayhanlon]

@sharon-fdm this is a follow up request to a customer promise. can you get us a rough t shirt size?

[getvictor]

@zayhanlon XS assuming existing SCIM integration and the config is just an on/off switch. So, just bare bones support.

[zayhanlon]

@getvictor - here are some other details from the original use case ticket: do you still think XS? TY!

@noahtalerman: Users will expect that when an employee who has access to Fleet leaves my organization, the employee's Fleet account and any API tokens/credentials are automatically revoked.

@noahtalerman: As a security engineer, who noticed that the IT team got Fleet or is expanding its use, I want automatic user deletion/creation so that when someone w/ an account in Fleet leaves/joins and we remove/add them in Okta, there’s not a dangling Fleet admin account (JIT, SCIM).

In Fleet this could look like the IT admin attaches Fleet roles (admin, maintainer, observer) to groups inside the Okta UI. When Fleet and Okta talk, Fleet knows which users to give which roles. Teams in phase 2. Fleet user can do this manually in the first pass. Plus, we don't have many customers with IT and security living in Fleet (we want them!)

[getvictor]

@zayhanlon It is still XS, assuming this story does NOT address Fleet user creation, which is most of what the below comment is about:

@noahtalerman: As a security engineer, who noticed that the IT team got Fleet or is expanding its use, I want automatic user deletion/creation so that when someone w/ an account in Fleet leaves/joins and we remove/add them in Okta, there’s not a dangling Fleet admin account (JIT, SCIM).

In Fleet this could look like the IT admin attaches Fleet roles (admin, maintainer, observer) to groups inside the Okta UI. When Fleet and Okta talk, Fleet knows which users to give which roles. Teams in phase 2. Fleet user can do this manually in the first pass. Plus, we don't have many customers with IT and security living in Fleet (we want them!)

[zayhanlon]

@getvictor correct. we have user creation tracked separately. thanks

[zayhanlon]

@noahtalerman based on victors estimation, i'm inclined to say we're looking good to keep this in 4.81. can we communicate that to the customer?
@kc9wwh fyi