Group level SAML Single sign-on page
Description
In order to allow a user to login to a group via SAML, we need a Single Sign-On (SSO) URL that will then direct the user to the SAML server for the authentication dance.
Proposal
- Provide a SSO page under a URL such as
https://gitlab.com/groups/gitlab-org/-/sso
once SSO has been configured for a group - If SSO has not been configured, this URL should 404
- If SSO has been configured, when the user visits initiates the authentication flow (because they are visiting a page of the group that needs authentication):
- User is already signed into GitLab:
- AND has already linked SAML identity:
- Redirect to
RelayState
path which can default to group page but might also be the SAML settings page or another page they were on - Display flash message saying "Signed in with SAML for {GroupName}"
- Redirect to
- AND has not linked this particular SAML provider:
- Redirect to
RelayState
. - Display flash indicating the account has been linking to the
profile/account
page:SAML for {GroupName} was added to your [connected accounts]
- Redirect to
- AND has already linked SAML identity:
- User is not signed into GitLab:
- AND has already linked this SAML provider:
- Redirect to GitLab login page and after login, redirect to
RelayState
- Display flash message saying "Signed in with SAML for {GroupName}"
- Redirect to GitLab login page and after login, redirect to
- AND has not linked this SAML identity provider: We will block this in the first iteration and redirect to GitLab login page. After login, redirect to SSO page
- AND has already linked this SAML provider:
- User is already signed into GitLab:
- If the user is already signed into GitLab AND has already linked SAML identity, AND they attempt to visit the SSO page, they should be redirected to the Group homepage saying “You’re already signed in with SAML for {GroupName}”
Links / references
Edited by Pedro Moreira da Silva