SAML Enforcement session is not set when using 2FA on GitLab
Problem
In Groups::OmniauthCallbacksController
we call store_active_saml_session
on sign_in
and on link_identity
. However when using 2FA users are instead shown a page where a 2FA token can be entered via prompt_for_two_factor
.
Solution
The naive solution is to call store_active_saml_session
from prompt_for_two_factor
when using Group SSO, however it would be more correct to do so after the 2FA is complete. To take that approach we'll need to think about how to pass on our intention to store this.