Avoid double 2FA when Group SAML has appropriate AuthnContextClassRef on GitLab.com

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Close this issue

What

Skip 2FA when a Group SAML identity provider asserts that the user has already completed 2FA on their side. This is done using the AuthnContextClassRef, which can be set to values such as SecondFactorIGTOKEN or SecondFactorOTPSMS.

Why

Users who have already completed 2FA on the identity provider side of things should not be prompted again for 2FA.

Self-hosted GitLab using an instance wide SAML coniguration can already use AuthnContextClassRef following https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/19651

Edited Aug 28, 2025 by 🤖 GitLab Bot 🤖