Skip to content

Group SAML - Scheduled Pipelines Cannot Find Valid SSO Session

Summary

GitLab recently enabled a SSO status check for Git activity which can be enabled/disabled in the Group SAML Settings:

Enforce SSO-only authentication for Git and Dependency Proxy activity for this group

When this setting is enabled, it may have a negative impact on scheduled pipelines. Scheduled pipelines are executed by the user who created the schedule. However if the users SSO session (1 day) expires, their pipeline will fail with the following error:

Cannot find valid SSO session. Please login via your group's SSO

This is presumably because by default, Git Strategy is set to Fetch or Clone in the projects CI/CD settings. Therefore every pipeline that is executed will execute Git operations that cause the pipeline to fail if the SSO session is expired.

Steps to reproduce

  1. Configure Group SAML SSO
  2. Enable Enforce SSO-only authentication for Git and Dependency Proxy activity for this group
  3. Create a scheduled pipeline
  4. Allow the SSO Session to expire for the user who created the scheduled pipeline
  5. Review Job Log for scheduled pipeline and note the Cannot find valid SSO session error

What is the current bug behavior?

Scheduled pipelines fail when SSO session expires and the following setting is enabled in the SAML SSO settings:

Enforce SSO-only authentication for Git and Dependency Proxy activity for this group

What is the expected correct behavior?

Scheduled pipelines should be able to successfully run regardless of the SAML SSO session when the Enforce SSO-only authentication for Git settings is enabled.

Alternatively, an option to disable this setting for specific projects and/or scheduled pipelines.

Relevant logs and/or screenshots

Getting source from Git repository 00:00
Fetching changes with git depth set to 50...
Reinitialized existing Git repository in /path/to/project/.git/
remote: Cannot find valid SSO session. Please login via your group's SSO at https://gitlab.com/groups/project/-/saml/sso?token=########
fatal: unable to access 'https://gitlab.com/path/to/project.git/': The requested URL returned error: 403

Output of checks

This bug happens on GitLab.com

Possible Workarounds

  1. Disable the Enforce SSO-only authentication for Git and Dependency Proxy activity for this group setting
  2. Transfer the ownership of the pipeline schedule to a Group owner user: #339888 (comment 684201327)
  3. If the pipeline does not require Git operations, use a variable to set GIT_STRATEGY: none
Edited by Harsh Chouraria