SAML integration tests

As we are shipping SAML integration as part of 11.0, we should invest the time to automate SAML integration tests.

Authentication ranks up high in the priority with ACLs (Access Control List) for enterprise and we should guard against regressions in this functionality.

Since this is an integration test we will need to set up the building blocks and an Identity Provider for testing.

• There is also a manual validation test at: https://gitlab.com/gitlab-org/release/docs/blob/master/general/saml-qa-instructions.md
• I also have had good experience with OKTA developer accounts before. https://developer.okta.com/ The free plan is enough.

In the basic scenario we will need:

• An identity provider (a service is preferred to lessen setup time)
  • We need to have an admin account to configure apps and users
  • We need an automation dedicated account to setup and tear down and provision users dynamically
  • This is a good guide to get familiar https://developer.okta.com/authentication-guide/saml-login/
• API Clients that can set up and tear down SAML users and groups for each test scenario
  • This is preferably a Client that exercises the API to do setup and tear down
  • API overview https://developer.okta.com/docs/api/getting_started/api_test_client
  • We will need to authenticate and use the user/management apis
    • https://developer.okta.com/docs/api/resources/authn
    • https://developer.okta.com/docs/api/resources/apps
• Configure GitLab SAML integration, this is in the form of SAML assertion
  • Since the test should run in CI this has to be configured for a fresh gitlab install in ci
  • We would also want to run the same tests in staging as well
• Automate the tests using the new users provisioned by Okta
  • Generic sanity test flow
    1. Setup a user and group
    2. Authenticate to GitLab via the assigned Organization that has the SAML users
    3. GitLab redirects the login to OKTA
    4. User authenticates with OKTA then gets redirect to Gitlab
    5. User ends up in Gitlab and can use functionality
  • There are other things we should check for
    • User should be authenticated to the correct SAML Group & Organization
    • What happens when an Org does not have SAML setup do we fall back to normal GitLab Login
    • Disabling a SAML user from the Identity provider should dis-allow the user to login to Gitlab
    • etc..

/cc @jeremy_ @axil