Investigate open items on group-level SSO: group membership revocation and other questions
Description
Before we can tackle the other items in &95 (closed), we should investigate how we're going to approach these issues. The biggest questions we have revolve around:
-
Revoke group membership if a user is removed from SAML identity provider
- How do we approach this?
- How do we handle passive features that don't require interacting with the web interface (e.g. email notifications, git)?
- How do others handle these issues?
-
Force users to reauthenticate after 24h timeout
- Where do we set this period?
- Can we set this based on something we get in the SAML response, or do we need to keep track of this separately?
- If we keep track of this separately, how do we check for this before the user takes an action on GitLab.com in a comprehensive way?
- Where do we set this period?
Links / references
Previous epic (basic SSO for groups): &40 (closed)
Edited by Jeremy Watson (ex-GitLab)