Discuss alternatives to 7-day SSO session recheck
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Currently, when using SSO Enforcement as part of Group SAML, we recheck a user's SAML SSO session every 7 days.
From the docs:
With this option enabled, users must use your group’s GitLab single sign on URL to be added to the group or be added via SCIM. Users cannot be added manually, and may only access project/group resources via the UI by signing in through the SSO URL.
However, users will not be prompted to log via SSO on each visit. GitLab will check whether a user has authenticated through the SSO link, and will only prompt the user to login via SSO if it has been longer than 7 days.
Customers are asking us to consider whether there's a better way to handle this that relies more on the SSO provider.
See our discussion on another issue at https://gitlab.com/gitlab-org/gitlab/-/issues/199414#note_322917757. Basically, there was concern there was a bug, which we ruled out. But now we should discuss whether this is the best option going forward.