Provide metatdata endpoint for Group SAML (for GitLab.com SSO)
What
Provide a URL where identity providers can retrieve SAML configuration metadata.
Why
Some identity providers require this to set SAML up, and with others there is an expectation it will be provided for ease of use.
Relates to https://gitlab.com/gitlab-org/gitlab-ee/issues/5900
Challenges
- This needs to be enabled early on in the set up process so the identity provider can use it as a first step. Currently we only save a
SamlProvider
record once the fingerprint and other details have been saved, but instead would need to require only that SAML is enabled for a group. This will require some refactoring to how we look up settings as well as database schema changes to allow a SamlProvider to be saved with required settings left blank. - This endpoint requires access when not signed in, so can potentially disclose the existence of a group. When a group doesn't have SAML enabled this endpoint should act the same as for a non-existing group. Once enabled it still shouldn't allow someone to determine of a group exists by guessing the group name: one way to achieve this would be by requiring a token.