Validate InResponseTo when linking Group SAML SSO
What
Before authorizing an identity provider (IdP) to log users in to GitLab.com we need to verify that the user initiated that request form GitLab rather than it coming directly from the IdP.
We can do this by validating that the InResponseTo
field in the SAML response matches the unique ID we generated for the initial request. This means we first need to store that ID and then later retrieve it for comparison.
Why
To prevent account hijacking.
A malicious user could otherwise set up a dummy group configured with their own IdP and trick users into clicking a link to a second server under their control. That server could then initiate/mimic an IdP initiated request causing the user's account to be linked to their IdP. They would then have the ability to log that user into GitLab.com on machines under their control, with full access to the user's account.