Prevent access to Group SAML metadata/SLO endpoints
Why
The metadata endpoint allows an anonymous user to determine that the group exists, requiring some work for us to securely support.
The single log out endpoints are untested and shouldn't be enabled on GitLab.com without a more thorough review. They might also reveal group existence. Given that the instance wide SLO endpoints don't work they are also to provide any user benefit.
Does this MR meet the acceptance criteria?
-
Changelog entry added, if necessaryThis feature is behind both a cookie and configuration flag to mark it as beta. -
Documentation created/updated -
Tests added for this feature/bug - Conform by the code review guidelines
-
Has been reviewed by a Backend maintainer
-
-
End-to-end tests pass ( package-qa
manual pipeline job)
What are the relevant issue numbers?
Edited by Nick Thomas