Group SAML SSO is not enforced when viewing Pages
Summary
Related to gitlab#297389 it appears that the SAML SSO is not enforced when viewing GitLab Pages sites even when the relevant setting is enabled at the group-level.
Steps to reproduce
- As a GitLab team member, login to gitlab.com without using Okta
- Visit https://internal-handbook.gitlab.io/
- Note that you were able to view the site without SAML auth
- Click the "Edit this page" button
- Note that you cannot view the Web IDE / repo because you are not authenticated via SAML
Example Project
https://gitlab.com/internal-handbook/internal-handbook.gitlab.io
What is the current bug behavior?
Inconsistency in auth requirements for the repo and published site. It appears that sites can always be viewed no matter how you are authenticated with GitLab even if the group/project has more strict requirements.
What is the expected correct behavior?
Authentication is consistent and correctly enforced. Team members have found it confusing that it is even possible to be authenticated in one context and not another. The "Edit this page" Web IDE link on the internal handbook results in a 404 for non-SAML authenticated users which makes it seem broken.
Relevant logs and/or screenshots
Output of checks
Possible fixes
~"devops::release" ~"group::release" Category:Pages