2023-04-04: SSO redirect issues

Customer Impact

GitLab.com users were not being redirected to the SSO login page between 2023-04-03 21:40 UTC and 2023-04-04 15:30 UTC.

Current Status

We received reports from users experiencing issues with SSO redirects. We're investigating the issue at the moment.

Redirection is the only broken component of login.

Workaround

Users visiting https://gitlab.com/ are not being redirected to the SSO sign in form.

The current broken flow looks like this: https://gitlab.com/<groupname> -> No redirection to SSO login page

To fix this, navigate instead to: https://gitlab.com/groups/<groupname>/-/saml/sso?token=<token> -> Redirected to SSO login page as normal

The URL above with its <token> can be obtained by your group Admin, from the group settings page at: https://gitlab.com/groups/<groupname>/-/saml in the GitLab single sign-on URL section.

More information will be added as we investigate the issue. For customers believed to be affected by this incident, please subscribe to this issue or monitor our status page for further updates.

📝 Summary for CMOC notice / Exec summary:

1. Customer Impact: Only users with SSO integrations who are attempting to login to groups and projects + some internal GitLab employees
2. Service Impact: ServiceWeb
3. Impact Duration: 2023-04-03 21:40 UTC - 2023-04-04 21:45 UTC
4. Root cause: RootCauseKnown-Software-Issue

Corrective Actions

1. Update documentation to clarify behaviours for SSO such that they are easier to understand.
2. Expand tests in this area including notes on the behaviour the tests are aiming to validate

📚 References and helpful links

Recent Events (available internally only):

• Feature Flag Log - Chatops to toggle Feature Flags Documentation
• Infrastructure Configurations
• GCP Events (e.g. host failure)

Deployment Guidance

• Deployments Log | Gitlab.com Latest Updates
• Reach out to Release Managers for S1/S2 incidents to discuss Rollbacks and/or Hot Patching | Rollback Runbook | Hot Patch Runbook

Use the following links to create related issues to this incident if additional work needs to be completed after it is resolved:

• Corrective action ❙ Infradev
• Incident Review ❙ Infra investigation followup
• Confidential Support contact ❙ QA investigation

---

Note: In some cases we need to redact information from public view. We only do this in a limited number of documented cases. This might include the summary, timeline or any other bits of information, laid out in out handbook page. Any of this confidential data will be in a linked issue, only visible internally. By default, all information we can share, will be public, in accordance to our transparency value.