Self-managed SAML - bypass 2 factor authentication - don't require GitLab 2FA to exist
Summary
Found this issue after discovering #35792 (closed) and forgot to write this one up!
Let's say an administrator enables both these settings:
If a user then logins via their SAML provider that has 2FA and is successful, they are then redirected back to GitLab. If the user hasn't setup a GitLab 2FA, then they are then asked to setup one.
The whole point of bypassing SAML 2 factor authentication is so you don't need to perform 2FA twice, but in effect, GitLab requires its own 2FA to be setup.
If the user does have GitLab 2FA setup, then the SAML - Bypass 2 factor authentication works as expected.
Steps to reproduce
- Enable SAML - Bypass 2 factor authentication and Enforcing 2FA for all users
- Open an incognito window and sign into GitLab via a SAML provider with a user that does not exist in GitLab yet (and has SAML 2FA setup)
- Complete authentication in the SAML provider login (and complete 2FA)
- GitLab then displays the below instead of redirecting to the home page (or referrer)
The global settings require you to enable Two-Factor Authentication for your account. You need to do this before <DATE>
:
What is the current bug behavior?
If SAML - Bypass 2 factor authentication and Enforcing 2FA for all users are both enabled, and a user completes the SAML provider 2FA, and if GitLab 2FA is not setup, they are then prompted to set it up.
What is the expected correct behavior?
If SAML - Bypass 2 factor authentication and Enforcing 2FA for all users are both enabled, and a user completes the SAML provider 2FA, and if GitLab 2FA is not setup, this should not matter as they have already passed the 2FA requirement, and the user should be redirected to the home page (or referrer).
Output of checks
Unable to test on GitLab.com.
Results of GitLab environment info
Expand for output related to GitLab environment info
System information System: Ubuntu 18.04 Proxy: no Current User: git Using RVM: no Ruby Version: 2.6.3p62 Gem Version: 2.7.9 Bundler Version:1.17.3 Rake Version: 12.3.3 Redis Version: 3.2.12 Git Version: 2.24.1 Sidekiq Version:5.2.7 Go Version: unknownGitLab information Version: 12.6.2-ee Revision: cf39803b81f Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: PostgreSQL DB Version: 10.9 URL: https://gitlab.domain HTTP Clone URL: https://gitlab.domain/some-group/some-project.git SSH Clone URL: git@gitlab.domain:some-group/some-project.git Elasticsearch: yes Geo: no Using LDAP: no Using Omniauth: yes Omniauth Providers: saml, google_oauth2, github
GitLab Shell Version: 10.3.0 Repository storage paths:
- default: /var/opt/gitlab/git-data/repositories GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell Git: /opt/gitlab/embedded/bin/git
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Possible fixes
There are several ways we should go about addressing this:
- Make it clear in the documentation that if you enable SAML - Bypass 2 factor authentication that users will require a GitLab 2FA code setup on all GitLab user accounts. I'm not sure if this is intended behaviour or a bug, so I've created this issue. If the documentation just needs to be fixed up, please ping me and I can update the docs.
- If SAML - Bypass 2 factor authentication and Enforcing 2FA for all users are both enabled, then GitLab should recognize if 2FA was completed at the SAML provider and not force the user to setup a GitLab 2FA code if they don't have one.
- Or should we add a bool in the
gitlab.rb
allowing administrators to customize this behaviour?