[Feature flag] Enable SSO Session Enforcement
What
Roll out and eventually remove the :enforced_sso_requires_session
feature flag.
Previous attempt
We've disabled the :enforced_sso_requires_session
feature flag on GitLab.com as it caused an outage for users using it in conjunction with 2FA. Because the session wasn't getting set during 2FA users were being denied access to their group. In addition there were pipeline failures related to this.
The plan is to identify and fix those bugs before rolling out the feature flag again. We might also wait for the first RC to deploy, as this feature is much more intuitive with https://gitlab.com/gitlab-org/gitlab-ee/issues/11558, which we will have in %12.0.
Owners
- Team: ~Manage
- Most appropriate slack channel to reach out to:
#g_mange
- Best individual to reach out to: @jamedjo
Expectations
What are we expecting to happen?
When enforcement is enabled on a group this should force those users to be redirected back through their identity provider if haven't used SAML to sign on.
What might happen if this goes wrong?
Users might be unable to sign in.
Previously the re-authentication didn't work when 2FA was enabled, as that happened on a different page. Additionally Git over HTTP was broken. While these have been fixed, there might be other unforeseen edge cases that break.
If something goes wrong for a customer, it can be resolved by disabling "Enforced SSO" on their group's SAML settings page.
What can we monitor to detect problems with this?
- Support tickets
- https://dashboards.gitlab.net/d/rPsQXrImk/rails-controller?orgId=1&refresh=1m&var-env=gprd&var-type=web&var-stage=main&var-controller=Groups::OmniauthCallbacksController&var-action=All
- https://dashboards.gitlab.net/d/rPsQXrImk/rails-controller?orgId=1&refresh=1m&var-env=gprd&var-type=web&var-stage=main&var-controller=Groups::SsoController&var-action=All
- https://dashboards.gitlab.net/d/thYzurImk/rails-controllers?orgId=1&var-action=Groups::OmniauthCallbacksController%23group_saml&var-database=influxdb-01-inf-gprd
- https://dashboards.gitlab.net/d/thYzurImk/rails-controllers?orgId=1&var-action=Groups::OmniauthCallbacksController%23failure&var-database=influxdb-01-inf-gprd
Beta groups/projects
If applicable, any groups/projects that are happy to have this feature turned on early. Some organizations may wish to test big changes they are interested in with a small subset of users ahead of time for example.
- https://gitlab.slack.com/archives/CDRLZUVHB/p1561036823109000?thread_ts=1560555218.092000&cid=CDRLZUVHB
- https://gitlab.slack.com/archives/CBFCUM0RX/p1561064701246900?thread_ts=1561036942.245100&cid=CBFCUM0RX
Before roll out
-
Fix 2FA interaction bug in https://gitlab.com/gitlab-org/gitlab-ee/issues/11749 -
Fix Git HTTP access bug in https://gitlab.com/gitlab-org/gitlab-ee/issues/11779, which also breaks pipelines as jobs try and clone over HTTP. -
Identify groups that might be able to test this on GitLab.com
Roll Out Steps
-
Enable on staging -
Test on staging -
Enable on GitLab.com for test groups/projects and verify behaviour -
Ensure that documentation has been updated -
Enable on GitLab.com for individual projects/groups as desired by beta customers -
Announce on the issue an estimated time this will be enabled on GitLab.com -
Enable on GitLab.com by running chatops command in #production
-
Cross post chatops slack command run to #support_gitlab-com
on slack -
Cross post chatops slack command run to team -
Announce on the issue that the flag has been enabled -
Remove feature flag and add changelog entry