GitLab as SSO authenticates the user before enforced MFA configured.
Summary
When GitLab is configured to act as SSO provider, and MFA enforced for every user, it redirects in the client application before MFA configuration page. Version 10.6 is the last version where behavior is correct.
Steps to reproduce
- Every GitLab version since 10.7.
- Configure GitLab as SSO for an application
- Enforce MFA for every user
- Set gracefull period to "0."
- Open client application and log in.
- Enter users credentials no GitLab's sign-in page.
- GitLab authenticates the user and redirects him/her to a client application without forcing MFA configuration.
What is the current bug behavior?
See Steps to reproduce.
What is the expected correct behavior?
GitLab should enforce MFA configuration for the account before authenticating him/her and providing the authenticated sessing to the client's application.
It performs correctly in version 10.6
.