<!--IssueSummary start--> <details> <summary> Everyone can contribute. [Help move this issue forward](https://handbook.gitlab.com/handbook/marketing/developer-relations/contributor-success/community-contributors-workflows/#contributor-links) while earning points, leveling up and collecting rewards. </summary> - [Close this issue](https://contributors.gitlab.com/manage-issue?action=close&projectId=278964&issueIid=297389) </details> <!--IssueSummary end--> ### Problem to solve While we're [enforcing SSO](https://gitlab.com/gitlab-org/gitlab-ee/issues/5291), we should similarly enforce SSO outside of the GitLab UI. For the purposes of security, this gives enterprises a greater degree of control over protected resources. ### Proposal We should perform the same check on API activity that we do in the [UI](https://gitlab.com/gitlab-org/gitlab-ee/issues/5291): * When a user attempts an API action in a group that's enforcing SSO: * If the represented user does not meet the [SSO login threshold](https://gitlab.com/gitlab-org/gitlab-ee/issues/5291), present them with an error: ``"Cannot find valid SSO session. Please login via your group's SSO at #{group_saml_url}"`` * This change should be a configuration option at the group level. * Credentials that are not tied to human users should not have an SSO check enforces (Project Access token, deploy keys, etc). ### Iteration plan 1. Introduce a new configuration option at the group level. This option should be disabled by default for existing and new SAML setups:  2. If user attempts an API action in a group that's enforcing SSO, and the represented user does not meet the SSO login threshold, present them with an error: ``"Cannot find valid SSO session. Please login via your group's SSO at #{group_saml_url}" 3. Credentials that are not tied to human users should not have an SSO check enforces (Project Access token, deploy keys, etc). ### Availability & Testing <!-- This section needs to be retained and filled in during the workflow planning breakdown phase of this feature proposal, if not earlier. What risks does this change pose to our availability? How might it affect the quality of the product? What additional test coverage or changes to tests will be needed? Will it require cross-browser testing? Please list the test areas (unit, integration and end-to-end) that needs to be added or updated to ensure that this feature will work as intended. Please use the list below as guidance. * Unit test changes * Integration test changes * End-to-end test change See the test engineering planning process and reach out to your counterpart Software Engineer in Test for assistance: https://about.gitlab.com/handbook/engineering/quality/test-engineering/#test-planning --> **What risks does this change pose to our availability?** A potential risk to account access: Users/bots may lose access incase we default enable the enforce SSO for API activity for all existing accounts that use PAT for automated access. **What additional test coverage or changes to tests will be needed?** * Ensure the feature is off by default * Ensure Project access tokens (for bot users) are exempt from this enforcement. * Ensure Personal access tokens are NOT exempt from this enforcement. Also, we should be adding end-to-end tests coverage for this feature.