You Can Still Join Private Group Using SAML Authentication after Admin Disabled SAML
HackerOne report #482429 by ngalog
on 2019-01-19, assigned to estrike
:
Summary:
Group Admin could disable or enable SAML SSO after configuring it.
I found that after proper configuration of SAML SSO, even the owner of the group disabled the SAML like in this screenshot, user could still use SAMLSSO to join as member in this group
Steps To Reproduce:
-
Login gitlab.com and visit https://gitlab.com/groups/serverless-group/-/saml/sso
-
Click authorize
-
Use test@gitlab.com: to login
-
You are now member of my private group
-
But my private group https://gitlab.com/serverless-group/ has disabled SAML authentication like in the screenshot -- you can view as admin to double check my claim
Impact
You Can Still Join Private Group Using SAML Authentication after Admin Disabled SAML
Attachments
Warning: Attachments received through HackerOne, please exercise caution! *