[Feature flag] Enable SSO Session Enforcement
Roll out and eventually remove the
:enforced_sso_requires_session feature flag.
We've disabled the
:enforced_sso_requires_session feature flag on GitLab.com as it caused an outage for users using it in conjunction with 2FA. Because the session wasn't getting set during 2FA users were being denied access to their group. In addition there were pipeline failures related to this.
The plan is to identify and fix those bugs before rolling out the feature flag again. We might also wait for the first RC to deploy, as this feature is much more intuitive with #11558 (closed), which we will have in %12.0.
- Team: Manage
- Most appropriate slack channel to reach out to:
- Best individual to reach out to: @jamedjo
What are we expecting to happen?
When enforcement is enabled on a group this should force those users to be redirected back through their identity provider if haven't used SAML to sign on.
What might happen if this goes wrong?
Users might be unable to sign in.
Previously the reauthentication didn't work when 2FA was enabled, as that happened on a different page. Additionally Git over HTTP was broken. While these have been fixed, there might be other unforseen edge cases that break.
What can we monitor to detect problems with this?
- Support tickets
If applicable, any groups/projects that are happy to have this feature turned on early. Some organizations may wish to test big changes they are interested in with a small subset of users ahead of time for example.
Before roll out
- Fix 2FA interaction bug in #11749 (closed)
- Fix Git HTTP access bug in #11779 (closed), which also breaks pipelines as jobs try and clone over HTTP.
- Identify groups that might be able to test this on GitLab.com
Roll Out Steps
- Enable on staging
- Test on staging
- Enable on GitLab.com for test groups/projects and verify behaviour
- Ensure that documentation has been updated
- Enable on GitLab.com for individual projects/groups as desired by beta customers
- Announce on the issue an estimated time this will be enabled on GitLab.com
Enable on GitLab.com by running chatops command in
Cross post chatops slack command run to
- Cross post chatops slack command run to team
- Announce on the issue that the flag has been enabled
- Remove feature flag and add changelog entry